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Description 

[0001] The present invention relates to a device for authenticating user's access rights to resources. 
[0002] . Program execution control technologies are known in the field to which the present invention belongs. The 
5 program execution control technologies are technologies to: 

1 . Embed a routine for user authentication during the use of an application program; 

2. Have the routine examine whether the user attempting execution of the application possesses a key for proper 
authentication; and 

10 3. Continue the program only when the existence of the key for authentication is verified, otherwise to halt execution. 

[0003] By using these technologies, execution of the application program is enabled only for proper users having 
the authentication key. The technologies are commercialized in the software marketing field, two examples being Sen- 
tinelSuperPro (trade mark) from Rainbow Technologies, Inc. and HASP (trade mark) from Aladdin Knowledge Systems, 
is Ltd. 

[0004] In the use of program execution control technologies, a user who executes software possesses an authenti- 
cation key as user identification information. The authentication key is a key for encryption and is distributed to the 
user by a party who allows use of software, a software vender, for example. The authentication key is securely sealed 
in a memory, or the like, of hardware to prevent duplication, and is delivered to the user using physical means such 

20 as the postal service. The user mounts personal computer/workstation using a designated method. When the user 
starts up the application program and when the execution of the program reaches the user authentication routine, the 
program communicates with the hardware in which the authentication key of the user is embedded. Based on the 
results of the communication, the program identifies the authentication key, and moves the execution to the following 
step upon confirmation of existence of the correct authentication key. If the communication fails and the verification of 

25 the existence of the authentication key is not established, the program stops automatically, discontinuing the execution 
of subsequent steps. 

[0005] Identification of the authentication key by the user authentication routine is executed according to the following 
protocol, for example: 

30 1 . The user authentication routine generates and transmits an appropriate number to the hardware in which the 

key is embedded. 

2. The hardware in which the key is embedded encrypts the number using the embedded authentication key and 
transmits it back to the authentication routine. 

3. The authentication routine determines whether or not the number transmitted back is the number expected 
35 beforehand, or, in other words, the number obtained by encrypting the number with a correct authentication key 

4. If the number transmitted back coincides with the expected number, the execution of the program is continued, 
otherwise the execution is halted. 

5. In this case, communication between the application program and the hardware in which the authentication key 
is embedded must be different for each execution even if it is between the same location in the same application 

40 with the same hardware. 

Otherwise, a user who does not possess the correct authentication key may be able to execute the program by 
recording once the content of communication during the normal execution process, and by responding to the 
application program according to the recording each time the subsequent program is executed. Such improper 
execution of the application program by replaying the communication content is called a replay attack. 

45 

[0006] In order to prevent a replay attack, in general, a random number is generated and used for each communi- 
cation as the number to be transmitted to the hardware in which the key is embedded 

[0007] Elektronik 41(1992), pages 68 to 74, discloses software protection by using a dongle having a processor 
which decrypts encrypted data supplied from the software to be protected. The dongle key consists of a firm and user 

50 code and is supplied to the decryption algorithm together with a selection code. 

[0008] The present invention has been made in view of the above circumstances and an aspect of the present 
invention is to provide a device for authenticating user's access rights to resources and its method which set both users 
and the protecting side such as application providers free from inconveniences caused by handling of large amount 
of unique information, for example, a lot of authentication keys, and thereby user's access rights are easily and simply 

55 authenticated when the execution control of the program, privacy protection of electronic mails, access control of files 
or computer resources and so forth are carried out. 
[0009] The invention provides a device as defined in claim 1 . 

[0010] With the above constitution, the unique security characteristic information of the device assigned to the pro- 
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tecting side and the unique identifying information of the user are made to be independent of each other. The information 
on actual access rights is represented as proof support information (i.e., an access ticket). The user has the user 
unique identifying information in advance, and on the other hand, a protector, such as a program creator prepares the 
unique security characteristic information, or the counterpart of the unique security characteristic information in terms 

5 of the public key cryptography, independent of the user unique identifying information held by the user. An access ticket 
is generated based on the user unique identifying information and the unique security characteristic information used 
in creation of the application program or the like. Access tickets are distributed to the users, whereby authentication 
of the user's access rights to resources- such as execution control can be performed. Thus complexity occurring in the 
case where both sides of user and protector use the same information for performing authentication can be avoided. 

10 [0011] Moreover, in the above constitution, at least the second memory means and the response generation means 
may be confined in the protect means which prevents any data inside from being observed or being tampered with 
from the outside. It may also be possible to implement at least the second memory means and the response generation 
means within a small portable device such as a smart card. 

[001 2] The response generating means may comprise first calculation means and second calculation means, wherein 
15 the first calculation means executes predetermined calculations to the user unique identifying information stored in the 
second memory means and the proof support information stored in the third memory means to obtain the unique 
security characteristic information as a result, and the second calculation means executes predetermined calculations 
to the challenging data stored in the first memory means and the unique security characteristic information calculated 
by the first calculation means to generate the response as a result of calculation. 
20 [0013] The above-described response generation means may comprise third calculation means, fourth calculation 
means and fifth calculation means. The third calculation means executes predetermined calculations to the challenging 
data stored in the first memory means and the proof support information stored in the third memory means, the fourth 
calculation means executes predetermined calculations to the challenging data stored in the first memory means and 
the user unique identifying information stored in the second memory means, and the fifth calculation means executes 
25 predetermined calculations to the results of calculation by the third and fourth calculation means, whereby the response 
is generated. In this case, at least the second memory means and the fourth calculation means can be confined within 
the protect means which prevents any data inside from being observed or being tampered with from the outside. At 
least the second memory means and the fourth calculation means may be implemented within a small portable device 
such as a smart card. 

30 [0014] The invention furthermore provides a method as defined in claim 47, a computer program product as indicated 
in claim 48 or 49, a control device according to claim 50, and an apparatus as defined in claim 51 . 
[0015] The accompanying drawings, which are incorporated in and constitute a part of this specification illustrate 
embodiment of the invention and, together with the description, serve to explain the objects, advantages and principles 
of the invention. In the drawings: 

35 

Fig. 1 is a block diagram showing an example of the fundamental constitution of the present invention; 

Fig. 2 is a block diagram showing an example of the constitution of the present invention in case that an entire 

device is implemented within a single PC; 

Fig. 3 is a block diagram showing the constitution of a first embodiment of a device for authenticating user's access 
40 rights to resources according to the present invention; 

Fig. 4 is a flow chart showing functions of means constituting the devices of the first embodiment; 

Fig. 5 is a block diagram showing the constitutions of a verification device and a proving device of a second 

embodiment of the device for authenticating user's access rights to resources according to the present invention; 

Fig. 6 is a flow chart showing functions of means constituting the verification device of the second embodiment; 
45 Fig. 7 is a block diagram showing a constitutional example of execution means of the verification means of the 

second embodiment; 

Fig. 8 is a flow chart showing functions of the constitutional example of the execution means shown in Fig. 7; 
Fig. 9 is a block diagram showing a second constitutional example of execution means of the verification means 
of the second embodiment; 

50 Fig. 1 0 is a flow chart showing functions of the constitutional example of the execution means shown in Fig. 9; 

Fig. 11 is a block diagram showing a third constitutional example of execution means of the verification means of 
the second embodiment; 

Fig. 12 is a flow chart showing functions of the constitutional example of the execution means shown in Fig. 11 ; 
Fig. 13 is a block diagram showing a fourth constitutional example of execution means of the verification means 
55 of the second embodiment; 

Fig. 14 is a flow chart showing functions of the constitutional example of the execution means shown in Fig. 13; 
Fig. 15 is a block diagram showing the constitution of a proving device of a third embodiment of the device for 
authenticating user's access rights to resources according to the present invention; 
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Fig. 16 is a flow chart showing functions of means constituting the proving device of the third embodiment; 
Fig. 1 7 is a block diagram showing a constitutional example of a fourth embodiment of the device for authenticating 
user's access rights to resources according to the present invention; 
Fig. 18 is a block diagram showing another constitutional example of the fourth embodiment; 
5 Fig. 19 is a flow chart showing functions of means of the constitutional example shown in Fig. 17; 

Fig. 20 is a block diagram showing the constitution of a fifth embodiment of the device for authenticating user's 
access rights to resources according to the present invention; 

Fig. 21 is a flow chart showing functions of means constituting a verification device of the fifth embodiment; 
Fig. 22 is a block diagram showing the constitution of a sixth embodiment of the device for authenticating user's 
10 access rights to resources according to the present invention; 

Fig. 23 is a flow chart showing functions of means constituting devices of the sixth embodiment; 

Fig. 24 is a block diagram showing the constitution of a seventh embodiment of the device for authenticating user's 

access rights to resources according to the present invention; 

Fig. 25 is a flow chart showing functions of means constituting devices of the seventh embodiment; and 
15 Fig. 26 is a block diagram showing a part of constitution of a proving device of ninth and tenth embodiments of 

the device for authenticating user's access rights to resources according to the present invention. 

[0016] At first, an example of the fundamental constitution of the present invention is described. The user authenti- 
cation system of the example can be applied to privacy protection of electronic mails or control of access to files or 

20 computer resources as well as control of execution of applications. 

[0017] In. Fig. 1, the user authentication system comprises a verification device 10 and a proving device 11: the 
proving device 11 receives an access ticket (proof support data) from an access ticket generation device 12; the ver- 
ification device 10 executes a verification routine 15; the proving device 11 retains user identifying information 16 and 
the access ticket 1 3 and executes a response generation program 1 7. 

25 [0018] The access ticket generation device 1 2 is installed in the protector side, such as an application provider. The 
access ticket generation device 1 2 generates the access ticket 1 3 based on unique security characteristic information 
of the device 14 and the user identifying information 16 and the access ticket 13 is forwarded to the user through 
communication or sending of a floppy-diskette or the like to be retained by the proving device 1 1 of the user. Then the 
verification device 1 0 sends challenging data 1 8 to the proving device 1 1 . The proving device 1 1 generates a response 

30 19 by utilizing the access ticket 13 and the user identifying information. 1 6, and returns it to the verification device 10. 
The verification device 10 verifies the legitimacy of the response based on the challenging data, that is, the verification 
device 10 verifies that the response has been generated based on the challenging data and the unique security char- 
acteristic information of the device. 

[0019] If the legitimacy of the response is verified, the access rights of the user is authenticated; accordingly, con- 

35 tinuation of execution of a program, access to files, and so forth, are permitted. 

[0020] With the above constitution, an example of execution control of an application program is now described. 
[0021 ] In the above constitution , a user of an application program retains only one piece of user identifying information 
1 6. The user identifying information is equivalent to a password in the password authentication and is unique, significant 
information which identifies the user. If it is possible for the user to copy and distribute the user identifying information 

40 16, it will lead to the use of the application program by the user without legitimate access rights; therefore, the user 
identifying information 1 6 is protected by protection means 1 60 so that even the user who is a legitimate owner of the 
user identifying information 1 6 cannot steal it. The protection means 1 60 may be a hardware with a protecting effect 
(hereinafter referred to as tamper- resistant hardware) against theft of the inside conditions by external probes. A method 
of implementation of the tarn per- resistant hardware will be described later. 

45 [0022] In addition to the user identifying information 16, the response generation program 17 which executes pre- 
determined computations is provided to the user. The program 1 7 performs communication with a user authentication 
routine (verification routine 1 5): on receiving two parameters, namely, the user identifying information 1 6 and the access 
ticket 1 3, the program 1 7 executes computations to arbitrary inputted values to generate the response 1 9 for identifying 
the user. The user identifying information 16 is used in the course of the computation, and it is required to protect at 

50 least a part of the program 1 7 by the protection means 1 60 since leakage of the user identifying information 1 6 to the 
outside will cause a problem by the above-described reason. 

[0023] Hereinafter, memory means for storing the user identifying information and a part of the program which are 
protected by the protection means 160, device for executing the part of the program (for example, consisting of a 
memory and a MPU) and the protection means 1 60 are integrally referred to as token (shown by the reference numeral 
55 20 in Fig. 1). The token may have portability, like a smart card. 

[0024] Similar to the conventional execution control technologies, the verification routine 1 5 is set to the application 
program. The verification routine 15 is same as that of the conventional technologies in that it communicates with the 
response generation program 17 retained by the user, and continues execution of the program if and only if a returned 
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result (response 18) is correct. Therefore, it is necessary that the program creator knows the method of computing the 
combination of transferred data (challenging data 1 8) and correct returned data corresponding thereto (response 1 9). 
[0025] Some examples of functions of the verification routine 1 5 are explained as follows: 

1 . Data to be transferred (challenging data 18) and expected returned data (expected value) are embedded in the 
verification routine 1 5. The verification routine 1 5 fetches the data to be transferred and transfers it to the user, 
and receives the returned data from the user. Then the verification routine 15 compares the returned data from 
the user with the expected value: if they are identical with each other, the verification routine 15 executes the next 
step of the program; if they are not identical, the verification routine 15 halts the execution of the program. 

In the case where the returned data is assumed to be a result of encryption of the transferred data in accordance 
with a predetermined encryption algorithm, the unique security characteristic information of the device is an en- 
cryption key. 

2. Data to be transferred (challenging data 1 8) and data generated by applying a one-way function to expected 
returned data (expected value) are embedded in the verification routine 15. The verification routine 15 fetches the 
data to be transferred and transfers it to the user, and receives the returned data from the user. Then the verification 
routine 1 5 compares data generated by applying the one-way function to the returned data from the user with the 
expected value: if they are identical with each other, the verification routine 15 executes the next step of the pro- 
gram; if they are not identical, the verification routine 15 halts the execution of the program. 

In the case where the returned data is assumed to be a result of encryption of the transferred data in accordance 
with a predetermined encryption algorithm, the unique security characteristic information of the device is an en- 
cryption key. 

3. Protection is provided by encrypting a part of code of the application program in accordance with a predetermined 
encryption algorithm so that execution of the program may be impossible. The verification routine 1 5 transfers the 
encrypted code to the user and receives returned data from the user, and then replace the received value with the 
encrypted code. 

With this constitution, execution of the program may be possible if and only if the returned data is a correct 
decryption of the encrypted code. In this case, the unique security characteristic information is a decryption key 
for decrypting the encrypted code. 

4. Protection is provided by encrypting a part of code of the application program in accordance with a predetermined 
encryption algorithm so that execution of the program may be impossible. Moreover, data generated by encrypting 
a decryption key paired with the encryption key used for encrypting the code is embedded as transferred data in 
the verification routine 15. The verification routine 15 transfers the encrypted decryption key to the user and re- 
ceives returned data from the user, and then decrypts the encrypted code with the value of the received data as 
a decryption key. 

[0026] With this constitution, the encrypted code is correctly decrypted if and only if the returned data is a decryption 
key which has been correctly decrypted, and accordingly execution of the program becomes possible. In this case, 
the unique security characteristic information of the device is a decryption key for decrypting the encrypted decryption 
key. 

[0027] In the conventional execution control technologies, the user identifying information (authentication key of the 
user) is identical with the unique security characteristic information of the device. The conventional response generation 
routine receives the unique security characteristic information and the data transferred from the verification routine as 
the input, and then executes computations thereto for generating data to be returned. 

[0028] By contrast, the present invention is characterized in that the user identifying information 16 and the unique 
security characteristic information of the device 14 are independent of each other. In this constitutional example, the 
response generation program 1 7 adds the access ticket 1 3 to the user identifying information 1 6 and the data transferred 
from the verification routine 15 (challenging data 18) as the input, and then executes predetermined computations to 
them for generating the data to be returned (response 19). The constitution has the following properties: 

1 . The access ticket 13 is the data calculated based on the specific user identifying information 16 and the unique 
security characteristic information of the device. . 

2. At least from the viewpoint of the computation amount, it is impossible to calculate the unique security charac- 
teristic information from the access ticket 13 without knowing the user identifying information 16. 

3. The response generation program 1 7 executes computations for generating correct data to be returned if and 
only if a correct combination of the user identifying information 1 6 and the access ticket 13. Note that the access 
ticket 13 has been calculated based on the user identifying information 16. 

[0029] With the constitution described so far, the execution control can be carried out by the following steps: the user 
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has the user identifying information 1 6 in advance; the program creator prepares the application program independent 
of the user identifying information 1 6 retained by the user; and the program creator generates the access ticket 1 3 
based on the user identifying information 16 and the unique security characteristic information of the device 16 used 
in creating the application program and distributes the access ticket 1 3 to the user. 

5 [0030] It may be possible to constitute the user identifying information 1 6 by two pieces of user identifying information 
for distinguishing the information used for preparing the access ticket 1 3 from the information used in a communication 
program by the user. In the most representative example, the user identifying information 16 is made to be a public 
key pair: the public key is published to be used for generating the access ticket; and the individual key is confined 
within the token 20 as user's individual secret information. In this case, it is possible to calculate the access ticket 13 

10 while the user identifying information 16 is kept secret by calculating the access ticket 13 from the unique security 
characteristic information 14 and the public key of the public key pair. 

First Embodiment 

is [0031] In a first embodiment, an access ticket t is defined as the relation (1 ). 

(1) t = D - e + o) 0 (n) 

20 [0032] In the following bulleted paragraphs, symbols used in the above relation are described. 

• An integer n is an RSA modulus, hence, a product of two very large prime numbers p and q (n = pq). 

• <t> (n) denotes the Euler number of n, hence, a product of two integers p-1 and q-1 (<t>(n) = (p-1) (q-1)). 

• A piece of user identifying information e is an integer allocated to each user. A piece of user identifying information 
25 is unique to a user: a different user identifying information is allocated to a different user. 

• An access-ticket secret key D is a private key of an RSA public key pair. Since the modulus is assumed to be n, 
the relation 2 is derived from the definition. 

30 (2) god (D, 4>(n)) = 1 

• In the above, gcd (x, y) denotes the greatest common divisor of two integers x and y. The existence of an integer 
E satisfying the relation (3), which is called an access-ticket public key, is derived from the relation (2). 

35 

(3) ED mod <}>(n) = 1 

• to is an integer dependent upon both n and e. It is required that a probably different value will be allocated to co if 
at least one of n and e is different. In defining w in a consistent manner, a one-way hash function h may be used. 

40 

(4) co = h (n | e) 

[0033] In the relation (4), n | e denotes the concatenation of the two bit-string representations of n and e. A one way 
45 hash function h is a function having the property that it is extremely difficult to calculate two distinct x and y satisfying 
h(x) = h(y). Known examples of one-way hash functions are the MD2, MD4 and MD5 of RSA Data Securities Inc., and 
the standard SHS (Secure Hash Standard) of the U.S. federal government. 

[0034] Among the above numbers, t, E and n can be open to public without any risk, while the rest of the numbers, 
namely D, e, w, p, q and <> (n), are to be kept secret to everybody but those who are allowed to generate an access 

so ticket. Fig. 3 depicts the constitution of the first embodiment. A verification device 1 0 comprises the followings: an 
access ticket public key storing means 1 01 ; a random number generation means 1 02; a random number storing means 
1 03; a response storing means 1 05; a verification means 1 06; an execution means 1 07; and an error trapping means 
108. On the other hand, a proving device 11 comprises the followings: a challenging data storing means 111; a first 
calculation means 112; an access ticket storing means 113; a second calculation means 114; a user identifying infor- 

55 mation storing means 115; and a response generation means 116. 

[0035] By the following numbered paragraphs, the function of the means constituting the devices will be described. 

1. The verification device 10 is invoked by a user. The way to invoke the device varies depending upon how the 
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device is implemented. A few examples are now shown. First, the verification device 10 may be implemented as 
a part of an application program to be installed and executed on a user's PC or workstation. In this case, the user 
may invoke the verification device 10 by invoking the application program in ordinary ways. For example, the user 
may click the iconic symbol representing the application program on the computer screen with a pointing device 
such as a mouse, or may use a keyboard. The verification device 10 may be implemented as a program installed 
and executed on a server computer that is connected to a user's PC or workstation by means of computer network. 
In this case, in order to invoke the verification device 10, a user first invokes a communication program installed 
on his/her own PC or workstation: the communication program establishes a connection to the server, and asks 
the server to invoke the verification device 10. When the communication program and the server follow the TCP/ 
IP protocols, for instance, the verification device 1 0 is allocated to a predefined port number on the server computer. 
When the communication program issues a requirement for establishing a connection to the port, inetd, a demon 
program running on the server computer, receives the requirement. After checking which program is allocated to 
the specified port, it finally invokes the verification device 1 0, and establishes a connection between the verification 
device and the communication program. This way of implementation is very common in networked computer sys- 
tems like Internet. The verification device 10 may be implemented as a program written on a ROM or EEPROM 
within a smart card reader-writer. In this case, the proving device 1 1 is a program installed on an IC chip of a smart 
card; the verification device 10 is invoked whenever a user inserts his/her smart card into the smart card reader- 
writer. 

2. The verification device 10 sends challenging data C and a modulus n to the challenging data storing means 111 
of the proving device 1 1 . The modulus n is stored in the access-ticket public key storing means 1 01 . On the other 
hand, challenging data G is generated as follows: the random number generation means 1 02 generates a random 
integer r so that r and the modulus n are relatively prime (gcd(r t n) = 1 ); the generated random integer r is stored 
in the random number storing means 103; finally, the random number generation means 102 sets the value of C 
to r. As stated later in more detail, the response which the proving device 11 is to respond to the verification device 
10 is RSA-encryption of r with D as the key and n as the modulus. Since the value of C is identical to the random 
integer r, it varies with occurrence of communication between the verification device 1 0 and the proving device 1 1 . 
This prevents so-called replay attack from succeeding. 

3. The first calculation means 112 of the proving device 11 calculates an intermediate result R' according to the 
relation (5). An access ticket t to be used is stored in the access ticket storing means 113. 

(5) R' = C* mod n 

4. The second calculation means 114 of the proving device 11 calculates a differential S according to the relation 
(6). A user identifying information e to be used is stored in the user identifying information storing means 115. 

(6) S = C e mod n 

5. Receiving R' and S from the first calculation means 112 and the second calculation means 114, the response 
generation means 116 of the proving device 11 calculates a response R according to the relation (7). 

(7) R = R'S mod n 

6. The proving device 11 returns the generated response R to the response storing means 105 of the verification 
device 10. 

7. The verification means 106 of the verification device 10 first performs the calculation (8). Both the exponent E 
and the modulus n are stored in the access ticket public key storing means 101 , and the response R is stored in 
the response storing means 1 05. 

(8) R E mod n 

[0036] Finally, the verification means 1 06 examines the relation (9). 



(9) C mod n = R E mod n 
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[0037] If the relation (9) holds, the verification means invokes the execution means 107. The execution means 107 
provides a user with utilities that he/she wanted to access to. Otherwise, it invokes the error trapping means 108. The 
error trapping means 108 may deny user access by terminating the execution. 

5 Second Embodiment 

[0038] A second embodiment to be described is the same as the first embodiment regarding the definition of an 
access ticket t and the function of the proving device. However, the verification device works differently. The difference 
in the roles between challenging data C and a response R causes the difference in the function between the two 

to embodiments: in the first embodiment, a response R is encryption of a random challenging data C; in the second 
embodiment, a response R will be decryption of challenging data C which is encryption of some other meaningful data. 
[0039] Fig. 5 depicts the constitution of devices of the second embodiment, and Fig. 6 depicts flow of data. A verifi- 
cation device 10 comprises the following means: an access ticket public key storing means 101; a random number 
generation means 102; a random number storing means 103; a response storing means 105; a randomizing means 

15 121; a challenge seed storing means 122; a de-randomizing means 123; and an execution means 310. A proving 
device 11 comprises the following means: a challenging data storing means 111; a first calculation means 102; an 
access ticket storing means 113; a second calculation means 114; a user identifying information storing means 115; 
and a response generation means 116. 

[0040] By the following numbered paragraphs, the function of the means constituting the devices will be described 
20 step by step. 

1 . The verification device 1 0 is invoked by a user. 

2. The verification device 1 0 sends challenging data C and a modulus n to the challenging data storing means 111 
of the proving device 11 . The modulus n is stored in the access ticket public key storing means 101 . On the other 

25 hand, challenging data C is generated by carrying out the following steps: the random number generating means 

102 generates a random integer r so that r and the modulus n are relatively prime (gcd (r, n) = 1); the random 
integer r is stored in the random number storing means 103; the randomizing means 121 generates challenging 
data C according to the relation (10). 

30 

(10) C = rC modn 

The integer C is stored in the challenge seed storing means 1 22, and satisfies the relation (11) for some data K. 

35 

(11) C = K t modn 

The exponent E (access ticket public key) and the modulus n are both stored in the access ticket public key 
storing means 101. 

4 o The verification device 1 0 retains encryption C of K instead of K itself. In fact, C is RSA encryption of K with 

a public key E and a modulus n. This has an advantage in the viewpoint of security: the data K crucial for authen- 
tication procedures never leaks from the verification device 10. The randomness of r also plays an important role: 
if r were identical to some secret constant, the challenging data C would be encryption of the data K up to a constant 
coefficient, and therefore the response which the proving device 11 generates would be K up to a constant coef- 

45 ficient; thus, constant r would allow replay attacks since communication between the verification device 10 and 

the proving device 11 would be always identical. In this embodiment, by generating challenging data C so that it 
is dependent on a random number r (see the relation (10)), communication between the verification device 10 and 
the proving device 11 occurs with variation, and therefore attempts of replay attacks beccme hopeless. 

3. The first calculation means 112 of the proving device 11 calculates an intermediate result R' according to the 
so relation (12). 



(12) R* = C* mod n 

In course of calculation, the means uses the access ticket t stored in the access ticket storing means 113. 
4. The second calculation means 1 14 of the proving device 11 calculates a differential S according to the relation 
(13). 
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(13) S = C e mod n 

In course of calculation, the means uses the user identifying information e stored in the user identifying infor- 
5 mation storing means 115. 

5. Receiving the intermediate result Ft' and the differential S from the first calculation means 112 and the second 
calculation means 114, the response generation means 1 1 6 of the proving device calculates a response R accord- 
ing to the relation (14). 

10 

(14) R = R'Smodn 

6. The proving device 11 returns the generated response R to the response storing means 307 of the verification 
device 10. 

is 7. The de-randomizing means 1 23 of the verification device 10 calculates K' according to the relation (15). 

(15) K' = r" 1 R mod n 

20 [0041] In course of calculation, the means uses the random number r stored in the random number storing means 
103 and the response R stored in the response storing means 105. Note that the values K 1 and K are identical with 
each other, if and only if the proving device 11 calculated the response R based on a right pair of an access ticket t 
and a user identifying information e. 

[0042J Finally, the de-randomizing means 123 sends K' to the execution means 310, and the execution means 31 0 
25 executes predefined procedures using this given K 1 . The execution means 310 is designed so that it works properly 
only when K' is identical with K; otherwise it fails to work. 

[0043] The following paragraphs describes several examples of implementation of the execution means 310. 

1 . Fig. 7 depicts a first example. A memory means 31 0 a of the execution means 31 0 retains the data K. Receiving 
30 K' from the de-randomizing means 123, a comparison means 310b directly examines the equality K = K'. If the 

equality does not hold, the execution means 310 suspends its performance immediately. Otherwise, the execution 
means 310 continues its performance and provides users with utilities. This example includes the disadvantage 
caused from the fact that the data K critical for authentication procedures appears as it is in the device: when a 
computer program to be installed and executed on a user's PC or workstation is implemented on the execution 

35 means 31 0, it is not impossible for a user to find out the value K by analyzing the code of the application program. 

The value K is crucial, because, if once the user knows the value of K, and further if he/she can predict random 
number sequences to be generated by the random number generation means 102, he/she can construct a device 
simulating the proving device 10 without any of an access ticket and a user identifying information e. In other 
words, anybody could pass the authentication check by the verification device 10 with this simulator, whether he/ 

40 she is authorized or not. 

2. Fig. 9 depicts a second example. In this example, a memory means 31 0a retains h(K), instead of K, which is a 
value obtained by applying a one-way hash function h to K. A significant property of one-way hash functions is 
that it is computationally impossible to calculate x satisfying y = h(x) given y. Receiving K' from a de-randomizing 
means 1 23, a hashing means 31 0c calculates h(K') which is the result of applying the one-way hash function h to K'. 

^5 Then, the comparison means 310b examines the identity of this h(K') and the value stored in the memory 

means 310a (= h(K)). Compared with the first example, this example is safer since there is no effective means to 
find out the critical data K: even though a user succeeded in analyzing the code of the program constituting the 
execution means 310, he/she couldn't find out any more than the value of h(K); due to the property of one-way 
hash functions, it is computationally impossible to calculate K given h(K). However, when the execution means 

so 310 is implemented as a computer program, the comparison means 310b may be represented as an if-clause. If 

the verification device is further assumed to be executed on a user's PC or workstation, a user may have a chance 
to modify the code so that the if-clause shall be always skipped. 

Therefore, the implementation of the this example is not safe enough, in particular, if the execution means 
31 0 is implemented as a computer program to be executed on a user's PC or workstation. 

55 3. Fig. 1 1 depicts a third example. This time, protection is applied such that execution of the program of the execution 

means 310 becomes impossible by encrypting a portion or the whole of the code of the program. The encrypted 
code is stored in the challenge seed storing means 122 as a seed C for challenging data C. More precisely, the 
crucial data K is program code to be encrypted, and C is RSA encryption of the code K with a public key E and a 
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modulus n (C = KE mod n). Both E and n are the values stored in the access ticket public key storing means 101 . 
The execution means 31 0 includes a code storing means 31 Od, a code loading means 31 Oe and a code execution 
means 31 Of. The code loading means 31 Oe feeds K\ which the code storing means 31 Od received from the de- 
randomizing means 123, to the code execution means 31 Of. Only when K' is identical with K, the code fed to the 

5 code execution means 31 Of is meaningful as a part of the program of the execution means 31 0. In the following, 

a more detailed description of the composition is provided. Consider the case where the execution means 31 0 is 
implemented as a computer program executed on a user's PC or workstation. The code storing means 310d is a 
specified region within a memory of a user's PC. 

The code execution means 31 Of comprises the CPU and OS of the PC. The CPU and OS, cooperating with 

10 each other, fetch instructions form a certain predefined region within the memory space (called program region), 

and executes those instructions one by one. Generally speaking, a meaningful chunk of instructions is called a 
program, and a program is located within the program region. The entity of the code loading means 31 Oe is a part 
of the program constituting the execution means 31 0, and it is to be executed at first when the execution means 
310 is invoked. When invoked, the code loading means 31 Oe orders the code execution means 31 Of to copy the 

15 content stored in the code storing means 31 Od onto a specified area within the program region, and then orders 

the code execution means 31 Of to execute the copied sequence of instructions by issuing a JMP command, for 
example. 

Thus, since a part or the whole of the code of the program of the execution means 310 is encrypted, and 
further since it is decrypted temporarily only when the verification device 10 and the proving device 11 cooperate 
20 with each other properly, the execution means 31 0 is much safer than in the cases of the preceding two examples: 

even though a user succeeded in analyzing the program, he/she couldn't obtain the missing code K at all; modifying 
the code of the program without the knowledge about K is definitely no use. 

4. Fig. 13 depicts a fourth example. This example is substantially the same as the third example except that K is 
the encryption key used in encrypting code of the program constituting the execution means 31 0, while K is the 

25 code itself in the previous example. Since the code to be encrypted may be of large size, according to the com- 

position of the third example, the size of K (namely, that of C and C) may be large enough to make the performance 
of the verification device 1 0 and the proving device 1 1 worse. In contrast, according to the composition of the fourth 
example, the size of K (namely, that of C) remains unchanged irrespective of the size of the program code to be 
encrypted: the size of K is determined by the cipher algorithm to be used; if DES (Data Encryption Standard) is 

30 used, K is always 64 (56) bits long even when the size of the code to be encrypted is measured by Mbyte. 

[0044] The execution means 310 comprises an encrypted code storing means 31 Og, a decryption means 31 Oh, a 
code loading means 31 01 , and code execution means 31 Of. Receiving the data K' from the de-randomizing means 1 23, 
the decryption means 31 Oh decrypts the content stored in the encrypted code storing means 31 Og. In the process of 
35 decryption, K* is used as a decryption key. The code loading means 3101 loads the output of the decryption means 
31 Oh, which is decrypted code if K' is identical with K, onto a specified area within the program region, and then orders 
the execution means 31 Of to execute the loaded code. 

Third Embodiment 

40 

[0045] In a third embodiment, the definition of an access ticket is given as the relation (16). 

(16) t=D+F(n, e) 

45 

[0046] The following bulleted paragraphs illustrate the symbols appearing in the relation (16). 

• An integer n is an RSA modulus, hence, a product of two very large prime numbers p and q (n = pq). 

• <t> (n) denotes the Euler number of n, hence, a product of two integers p-1 and q-1 (0 (n) = (p-1 ) (q-1 )). 

so • A user identifying information e is an integer allocated to each user. The user identifying information e is unique 
to each user: 

• A different user identifying information is allocated to a different user. 

• An access-ticket secret key D is the private key of an RSA public key pair. Since the assumed modulus is n, D 
55 satisfies the relation (17). 

(17) gcd(D, 4> (n)) = 1 
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• In the above, gcd(x, y) denotes the greatest common divisor of two integers x and y. The existence of an integer 
E satisfying the relation (18), which is called an access-ticket public key, is derived form the relation 17. 

5 (18) ED mod <|> (n) = 1 

• A two variable function F(x, y) is an arbitrary collision-free function. Practically, a collision-free function may be 
constructed using a one-way hash function h as the relation (19). 

(1.9) F(x,y) = h(x|y)- 

[0047] Figs. 15 and 16 are for depicting this embodiment: Fig. 15 depicts the constitution of the devices of this 
embodiment; Fig. 16 depicts flow of data. 

15 [0048] In Fig. 1 5, a proving device 1 1 comprises a challenging data storing means 1 1 1 , a first calculation means 1 1 2, 
an access ticket storing means 1 1 3, a second calculation means 1 1 4, a user identifying information storing means 1 1 5, 
a response generation means 1 1 6, and an exponent generation means 1 30. A verification device 1 0 in th is embodiment 
may be identical with that in any of the first embodiment (shown in Fig. 3) or the second embodiment (shown in Fig. 5). 
[0049] By the following numbered paragraphs, the function of the means constituting the devices will be described 

20 step by step. 

1 . The verification device .1 0 is invoked by a user. 

2. The verification device 10 sends challenging data C and a modulus n to the challenging data storing means 111 
of the proving device 11. The modulus n is stored in the access ticket public key storing means 101, and the 

25 challenging data C is generated in one of the manners defined in the first embodiment or the second embodiment: 

C is identical with either mod n or r E C mod n. 

3. The first calculation means 112 of the proving device 11 calculates an intermediate result R' according to the 
relation (20). 

An access ticket t to be used is stored in the access ticket storing means 113. 

30 

(20) R' = C* mod n 

4. The exponent generation means 130 calculates F(n, e) by applying the collision-free function F to the modulus 
35 n, stored in the challenging data storing means 111, and the user identifying information e, stored in the user 

identifying information storing means 115. 

(21) F(n,e) 

40 

5. Receiving the result from the exponent generation means 1 30, the second calculation means 1 1 4 of the proving 
device 11 calculates a differential S according to the relation (22). 

45 (22) S = C F(n,e) modn 

6. Receiving R' and S from the first calculation means 112 and the second calculation means 114, the response 
generation means 116 of the proving device calculates a response R according to the relation (23). 

(23) R = R'S mod n 

In the relation (23), S" 1 denotes the reciprocal of S under the modulus n. Hence, S and S _1 satisfy the relation 
(24). 

55 

(24) SS* 1 mod n = 1 
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7. The proving device 11 returns the generated response R to the response storing means 105 of the verification 
device 1 0. 

8. The verification device 10 examines the response received from the proving device 11 . 
5 Fourth Embodiment 

[0050] In a fourth embodiment, a proving device 11 comprises a computer program executed on a user's PC or 
workstation, a smart card or PC card (PCMCIA card) attachable to the user's PC or workstation, and a program executed 
on this smart card or PC card. 

w [0051] As is obvious from the explanation of the former three embodiments, a user identifying information e, stored 
j in a user identifying information storing means 115, must be kept secret to others. Furthermore, observing process of 
execution of a second calculation means 114, which needs e as an input to itself, may lead to leak of e. The same 
situation applies to an exponent generation means 1 30. Consequently, in practical use, the user identifying information 
storing means 115, the second calculation means 114 and the exponent generation means 130 should be protected 

15 by some means against attempts to pry out some crucial secret out of them. 

[0052] One solution is confining the crucial part of the proving device 11 within hardware equipped with function to 
prevent its inside from being observed or tampered with by unauthorized means. Generally, such hardware is called 
tamper-resistant hardware. 

[0053] In creating the tamper-resistant hardware, it is possible to use the technology disclosed in Patent Number 
20 1,863,953, Patent Number 1,860,463 or Japanese Laid-Open Patent Publication 3-100753, for example. In Patent 
Number 1 ,863,953, an enclosure composed of a plurality of cards having multi-layered conductive patterns is provided 
surrounding an information memory medium. Memory information is destroyed when the conductive pattern which is 
detected differs from an expected pattern. 

[0054] In Patent Number 1,860,463, a detection circuit composed of an integration circuit or the like is provided 
25 surrounding an information memory medium in addition to a conductive winding being formed, and through this, when 
there is infiltration to the electronic circuit region, fluctuations in electromagnetic energy are detected and memory 
information is destroyed. 

[0055] In Japanese Laid-Open Patent Publication 3-100753, an optical detector is provided within hardware, and 
the optical detector detects external light which enters when a force is applied which destroys the hardware or punctures 

30 the hardware, and a memory destruction device resets memory information. 

[0056] Further, choosing tamper- resistant hardware with portability such as a smart card or PC card may provide 
users with additional merits. Among information dealt with by a proving device 11, only an access ticket and a user 
identifying information are unique to an individual user. Hence, for example, it may be useful to confine a user identifying 
information storing means 115, access ticket storing means 113, a second calculation means 114 and exponent gen- 

35 eration means 130 within a smart card or PC card, and implement the rest of the proving device 10 as a program to 
be executed on an arbitrary PC or workstation: a user can use an arbitrary PC or workstation, assuming that the 
program is installed on it, as his/her proving device only by inserting his/her own smart card or PC card into the computer. 
[0057] Fig. 1 7 depicts constitution of a proving device 1 1 of the first and second embodiments when a user identifying 
information storing means 115 and a second calculation means 114 are confined within a smart card. 

40 [0058] Fig. 1 8 depicts constitution of a proving device 1 1 of the third embodiment when a exponent generation means 
130 in addition to a user identifying information storing means 114 and a second calculation means 114 is confined 
within a smart card. 

[0059] For both Figs. 17 and 18, a card-side l/F means 141 within a smart card is an interface to a host computer 
for communication between a host computer and the smart card. More practically, the card-side l/F means 141 com- 
45 prises buffer memory and a communication program. 

[0060] A host-side l/F means 140, which is a part of a host computer, is the counter part of the card-side l/F means 
141 . Both l/F means, cooperating with each other, transfer messages from the host computer to the smart card, and 
vice versa. 

[0061] The following numbered paragraphs describe the function of the means constituting the devices. 

50 

1 . The verification device 1 0 is invoked by a user. 

2. The verification device 10 sends challenging data C and a modulus n stored in the access ticket public key 
storing means 101 to the challenging data storing means 111 of the proving device 11 . 

3. The host-side l/F means 140 of the proving device 1 0 sends the challenging data C and the modulus n to the 
55 card-side l/F means 141 within the smart card. 

4. The access ticket searching means 1 42 retrieves an access ticket t corresponding to the modulus n that is stored 
in the challenging data storing means 1 1 1 . As shown before, in any of the former three embodiments, the definition 
of an access ticket t involves a modulus n (t = D - e + to 0 (n) or t = D + F(n, e)). In the access ticket storing means 
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1 1 3, zero or more access ticket are stored, and each access ticket is indexed with the modulus that was used in 
generating the access ticket. 

5. The first calculation means 112 of the proving device 11 calculates an intermediate result R' according to the 
relation (25). 

An access ticket t is stored in the access ticket storing means 113. 

(25) R' = C* mod n 

6. The host-side l/F means 1 40 issues a requirement for a differential S to the card-side l/F means 1 41 . A response 
which the host-side l/F means 1 40 receives is a differential S of one of the following forms: if the access ticket t 
and the means within the smart card were implemented in the manner of the first and second embodiments, the 
differential S satisfies the relation (26); if the access ticket t and the means within the smart card were implemented 
in the manner of the third embodiment, the differential S satisfies the relation (27). 

(26) S = C e modn 
(27) S = C F(n,e) modn 

7. The response generation means 116 of the proving device 11 calculates a response R according to either the 
relation (28) or (29): if the access ticket t and the means within the smart card were implemented in the manner 
of the first and second embodiments, the relation (28) shall be applied; if the access ticket t and the means within 
the smart card were implemented in the manner of the third embodiment, the relation (29) shall be applied. 

(28) R = R'S mod n 



(29) R = R'S" 1 mod n 

8. The proving device 11 returns the generated response R to the response storing means 307 of the verification 
device 10. 

[0062] In this embodiment, it is possible to calculate the intermediate result R' and the differential S concurrently, 
because the former is calculated within the host computer and the latter is within the smart card. Obviously, this con- 
current calculation reduces the total time which the proving device 1 1 needs for calculating a response to a received 
challenging data. 

[0063] Further, in this embodiment, the access ticket storing means 113 may retain more than one access tickets, 
and the access ticket searching means 142 retrieves an appropriate access ticket using a modulus issued by the 
verification device 10 as a key for retrieval. Basically, different verification device, which may be embedded within a 
different application program or server program, should assume a different modulus. Therefore, a user who want to 
access to more than one application programs or server programs is obliged to have a number of access tickets. 
[0064] The stated function of the access ticket searching means 142 would release a user from paraphernalia of 
selecting a correct access ticket by himself. 

Fifth Embodiment 

[0065] In a fifth embodiment, the Pohlig-Hellman asymmetric key cryptography is used instead of the RSA public 
key cryptography. 

[0066] In this embodiment, the definition of an access ticket t is given as the relation (30). 

(30) t = D + F(p, e) 

[0067] The following bulleted paragraphs illustrate the symbols appearing in the relation (30). 
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• An integer p is a very large prime number. 

• A user identifying information e is an integer allocated to each user. The user identifying information e is unique 
to an individual user: a different user identifying information is allocated to a different user 

• An access ticket secret key D is one component of a Pohlig-Hellman asymmetric key pair. Since the assumed 
modulus is p, D satisfies the relation (31 ). 

(31) gcd(D,p-1) = 1 

[0068] In the above, gcd(x, y) denotes the greatest common divisor of two integers x and y. The existence of an 
integer E satisfying the relation (32), which is called an access-ticket public key, is derived from the relation (31). ■ 

(32) ED mod p-1 = 1 

• A two variable function F(x, y) is an arbitrary collision-free function. Practically, a collision-free function may be 
constructed using a one-way hash function h as the relation (33). 

(33) F(x,y) = h(x|y) 

[0069] Figs. 20 and 21 are for depicting this embodiment: Fig. 20 depicts the constitution of the devices of this 
embodiment; Fig. 21 depicts flow of data. In Fig. 20, a proving device 41 comprises the following means: a challenging 
data storing means 41 1 ; a first calculation means 41 2; an access ticket storing means 41 3; a second calculation means 
414; a user identifying information storing means 41 5; a response generation means 41 6; and an exponent generation 
means 430. On the other hand, a verification device 40 comprises the following means: a key storing means 401 ; a 
random number generation means 402; a random number storing means 403; a response storing means 405; a ran- 
domizing means 421 ; a challenging seed storing means 422; a de-randomizing means 423; and an execution means 
310. 

[0070] By the following numbered paragraphs, the function of the means constituting the devices will be described 
step by step. 

1 . The verification device 40 is invoked by a user. 

2. The verification device 40 sends challenging data C and a modulus p to the challenging data storing means 411 
of the proving device 41 . The modulus p is stored in the key storing means 401 . In this embodiment, the challenging 
data C is assumed to be generated in a manner similar to that in the second embodiment. However, it is easy to 
construct another embodiment such that challenging data C is generated in a manner similar to that in the first 
embodiment. The challenging data C in this embodiment is generated by carrying out the following steps: the 
random number generating means 402 generates a random integer r so that r and the modulus p are relatively 
prime (gcd(r, p) = 1); the random integer r is stored in the random number storing means 403; and the randomizing 
means 121 generates challenging data C according to the relation (34). 

(34) C = r E C'modp 

The integer C is stored in the challenge seed storing means 422, and satisfies the relation (35) for some data K. 

(35) C = K E mod p 

The exponent E (access ticket public key) and the modulus p are both stored in the key storing means 401. 

3. The first calculation means 412 of the proving device 41 calculates an intermediate result R' according to the 
relation 36. 

An access ticket t to be used is stored in the access ticket storing means 113. 

(36) R* = C x mod p 
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4. The exponent generation means 430 calculates F(p, e) by applying the collision-free function F to the modulus 
p, stored in the challenging data storing means 111, and the user identifying information e, stored in the user 
identifying information storing means 415. 

(37) ' F(p.e) 

5. Receiving the result from the exponent generation means 430, the second calculation means 414 of the proving 
device 41 calculates a differential S according to the relation (38). 

(38) S = C F<p,e) modp 

6. Receiving R' and S from the first calculation means 412 and the second calculation means 414, the response 
15 generation means 41 6 of the proving device 41 calculates a response R according to the relation (39). 

(39) R = R'S" 1 mod p 

20 in the relation (39), S _1 denotes the reciprocal of S under the modulus p. Hence, S and S _1 satisfy the relation 

(40). 

(40) SS" 1 mod p = 1 

25 

7. The proving device 41 returns the generated response R to the response storing means 405 of the verification 
device 40. 

8. The de-randomizing means 423 of the verification device 40 calculates K' according to the relation (41). 

30 -1 

(41) K' = r Rmodp 

[0071] In course of calculation, the means uses the random number r stored in the random number storing means 
403 and the response R stored in the response storing means 405. 

35 

Sixth Embodiment 

[0072] A sixth embodiment is substantially similar to the third embodiment except that the EIGamal public key cryp- 
tography is used this time instead of the RSA public key cryptgraphy. In this embodiment, the definition of an access 
40 ticket t is given as the relation (42). 

(42) t = X + F(p, e) 

45 [0073] The following bulleted paragraphs illustrate the symbols appearing in the relation (42). 

• An integer p is a very large prime number. 

• A user identifying information e is an integer allocated to each user. The user identifying information is unique to 
an individual user: a different user identifying information is allocated to a different user. 

so • Let (X, Y) be an arbitrary EIGamal asymmetric key pair assuming p is the modulus. Therefore the relation (43) is 
satisfied. 

(43) Y = G x mod p 

55 

[0074] In the relation (43), G denotes an integer representing a generator of the multiplicative group of the finite field 
of order p. 
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• Equivalents G satisfies the relations (44) and (45). 

(44) G > 0 

5 

(45) min { x>0 | G x = 1 mod p} = p - 1 

• X is called an access ticket secret key, while Y is called an access ticket public key. 

10 • A two variable function F(x, y) is an arbitrary collision-free function. Practically, a collision-free function may be 
constructed using a one-way hash function h as the relation (46). 

(46) F(x,y)=h(x|y) 

15 

[0075] Figs. 22 and 23 are for depicting this embodiment: Fig. 22 depicts the constitution of the devices of this 
embodiment; Fig. 23 depicts flow of data. 

[0076] In Fig. 22, a proving device 51 comprises the following means: a challenging data storing means 511 ; a first 
calculation means 512; an access ticket storing means 513; a second calculation means 514; a user identifying infor- 

20 mation storing means 51 5; a response generation means 51 6; and an exponent generation means 530. On the other 
hand, a verification device 50 comprises the following means: an access ticket public key storing means 501 ; a random 
number generation means 502; a random number storing means 503; a response storing means 505; a randomizing 
means 521 ; a challenge seed storing means 522; a de-randomizing means 523; and an execution means 310. 
[0077] By the following numbered paragraphs, the function of the means constituting the devices will be described 

25 step by step. 

1. The verification device 50 is invoked by a user. 

2. The verification device 50 sends a pair (u, C) of challenging data and a modulus p to the challenging data storing 
means 511 of the proving device 51 . The modulus p is stored in the access ticket public key storing means 501 . 

30 On the other hand, the challenging data u and C is generated as follows. The first component u is stored in the 

challenge seed storing means 522, and satisfies the relation (47) for some secret random number z. 

(47) u = G z mod p 

35 

In the challenge seed storing means 522, one more seed C is stored. C satisfies the relation (48) for some 
crucial data K. 

4 o (48) C'=Y z Kmodp 

Using this C as a seed, the other component C is generated as follows. The random number generating means 
502 generates a random integer r so that r and the modulus p are relatively prime (gcd(r, p) = 1); the random 
integer r is stored in the random number storing means 503; the randomizing means 521 generates challenging 
45 data C according to the relation (49). 

(49) C = rC mod p 

so 3. The first calculation means 512 of the proving device 51 calculates an intermediate result S according to the 

relation (50). 

An access ticket t to be used is stored in the access ticket storing means 513. 

55 (50) S = u mod p 

4. The exponent generation means 530 calculates F(p, e) by applying the collision-free function F to the modulus 
p, stored in the challenging data storing means 511, and the user identifying information e, stored in the user 
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identifying information storing means 515. 

(51) F(p,e) 

5. Receiving the result from the exponent generation means 530, the second calculation means 51 4 of the proving 
device 51 calculates a differential S' according to the relation (52). 

(52) S' = u F(p ' e) mod p 

6. Receiving S and S' from the first calculation means 512 and the second calculation means 514, the response 
generation means 516 of the proving device 51 calculates a response R according to the relation (53). 

(53) R = S* 1 S'Cmodp 

In the relation (53), S 1 d enotes th e rec iprocal of S over the modulus p. Hence, Sand S" 1 satisfy the relation (54). 

(54) SS" 1 mod p = 1 

7. The proving device 51 returns the generated response R to the response storing means 505 of the verification 
device 50. 

8. The de-randomizing means 523 of the verification device 50 calculates K' according to the relation (55). 

(55) K 1 = r" 1 R mod p 

[0078] In course of calculation, the means uses the random number r stored in the random number storing means 
503 and the response R stored in the response storing means 505. 

[0079] The straightforward implementation of the above constitution would involve the following problem: use of a 
common pair of seeds for challenging data (u, C) for more than one occurrences of authentication allows an attacker 
to construct a device which emulates the proving device 1 1 without the user identifying information or the access ticket. 
To construct such an emulator, H = RC-1 mod p is recorded first where C is the challenging data at the first occurrence 
of authentication and R is the response to C calculated by the proving device 11. The emulator retains this H instead 
of the user identifying information e and the access ticket t f and on arbitrary input (u, C) issued by the verification device 
10, returns to a response R calculated according to the relation R = HC mod p. Thus, the verification device 10 should 
have pairs of seeds (u 3 , C) as many as necessary, and should use distinct pair for distinct occurrence of authentication 
(Note that k for u = G z mod p is a random number). 

Seventh Embodiment 

[0080] A seventh embodiment exploits the EIGamal signature rather than the RSA public key cryptography in the 
first three embodiments or the EIGamal public key cryptography in the sixth embodiment. 
[0081] In this embodiment, the definition of an access ticket t is given as the relation (56). 

(56) t = X + F(p, e) 

[0082] The following bulleted paragraphs illustrate the symbols appearing in the relation (56). 

• An integer p is a very large prime number. 

• A user identifying information e is an integer allocated to each user. The user identifying information e is unique 
to an individual user: a different user identifying information is allocated to a different user. 

• Let (X, Y) be an arbitrary EIGamal asymmetric key pair assuming p is the modulus. Therefore the relation (57) is 
satisfied. 
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(57) Y = G x modp 

[0083] In the relation (57), G denotes an integer representing a generator of the multiplicative group of the finite field 
of order p. 

[0084] Equivalent^, an integer G satisfies the relations (58) and (59). 

(58) G > 0 

(59) min { x>0 | G x = 1 mod p} - p - 1 

[0085] X is called an access ticket secret key, while Y is called an access ticket public key. 

• A two variable function F(x, y) is an arbitrary collision-free function. Practically, a collision-free function may be 
constructed using a one-way hash function h as the relation (60) shows. 

(60) F(x,y) = h(x|y) 

[0086] Figs. 24 and 25 are for depicting this embodiment: Fig. 24 depicts the constitution of the devices of this 
embodiment; Fig. 25 depicts flow of data. 

[0087] In Fig. 24, a proving device 61 comprises the following means: a challenging data storing means 611; a 
random number generation means 612; a first calculation means 613; a second calculation means 614; an access 
ticket storing means 615; and a user identifying information storing means 616. On the other hand, verification device 
60 comprises the following means: an access ticket public key storing means 601 ; a random number generation means 
602; a random number storing means 603; a response storing means 605; a verification means 606; a execution means 
607; and an error trapping means 608. 

[0088] By the following numbered paragraphs, the function of the means constituting the devices will be described 
step by step. 

1 . The verification device 60 is invoked by a user. 

2. The verification device 60 sends challenging data C, a modulus p and a generator G to the challenging data 
storing means 611 of the proving device 61 . The modulus p and the generator G are stored in the access ticket 
public key storing means 601 . On the other hand, the challenging data u and C are generated as follows: the 
random number generation means 602 generates a random integer r so that r and the modulus n are relatively 
prime (gcd(r, n) = 1); the generated random integer r is stored in the random number storing means 603; finally, 
the random number generation means 602 sets the value of C to r. As stated later in more detail, the response 
which the proving device 61 is to respond to the verification device 60 is EIGamal-signature of r with X as the 
signature key and p as the modulus. 

3. The random number generation means 612 of the proving device 61 generates a random integer k so that k 
and p are relatively prime (gcd(k, p) = 1). Receiving the random integer k from the random number generation 
means 61 2 and the modulus p and the generator G from the challenging data storing means 61 1 , the first calculation 
means 613 calculates a first component R of a response according to the relation (61 ). 

(61) R = G k mod p 

Concurrently, the second calculation means 61 4 calculates a second component S of a response according 
to the relation (62). 

* (62) S = (C - R (t - F(p, e)))k" 1 mod p - 1 

The access ticket t is stored in the access ticket storing means 615, and the modulus p and the challenging 
data C are stored in the challenging data storing means 611 . 

4. The proving device 61 returns the generated response R to the response storing means 605 of the verification 
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device 60. 

5. The verification means 606 of the verification device 60 examines the relation (63). 

(63) G r = Y R R S modp 

The random integer r is stored in the random number storing means 603; the response pair (R, S) is stored in the 
response storing means 605; the modulus p, the access ticket public key Y and the generator G are all stored in 
the access ticket public key storing means 601 . 

Eighth Embodiment 

[0089] An eighth embodiment provides an example of specification for ways how to generate access tickets safely. 
[0090] In any case of the previous embodiments, access tickets are calculated as output of a predefined function on 
input of specific secret information, namely user identifying information and access ticket secret keys. Since leak of 
that secret information threatens the safety of the entire scheme of authentication, a safe device may be necessary in 
generating access tickets. 

[0091] Such a device is required to provide the function which absolutely prevents leakage of the secret information 
contained within it or results of calculations carried out within it. 

[0092] One of the simplest ways to constitute such a safe device is to implement services of generating and issuing 
access ticket to users on an isolated computer kept safe from any attempts at illegal accesses by users: in order to 
protect that server computer against physical accesses by users, the computer should be placed in a room entry into 
which is severely controlled; further, if the server computer is networked with users' PCs and access tickets are issued 
to users on network, the threat of attacks via network should be taken into account; in protecting the server computer 
from those network attacks, the firewall technology (for details see "Building Internet Firewalls" by D. Brent Chapman 
and Elizabeth D. Zwicky, O'Reilly & Associates, Inc.) may be useful. 

[0093] As shown in the previous embodiments, an access ticket is generated so that only the user to whom the ticket 
is issued can use it. Speaking more accurately, a user may succeed in authentication procedure between a verification 
device and a proving device if and only if he is able to feed to the proving device both an access ticket and user 
identifying information based on which the access ticket has been generated. 

[0094] Moreover, access tickets stated in the previous embodiments satisfy a stricter standard of safety: there is no 
way to forge an access ticket or to construct a device which emulates the proving device even though an attacker is 
assumed to be able to collect an arbitrary number of access tickets issued by legitimate access ticket issuers. 
[0095] The fact that access ticket satisfies the above standard implies that access tickets are safe enough to be 
conveyed to users by relatively insecure means like electronic mails on Internet. 

Ninth Embodiment 

[0096] A ninth embodiment uses a composition method for an access ticket and user identifying information differing 
from those of the previous embodiments: this method is different from those of the previous embodiments in that the 
public information associated with user identifying information is used instead of the user identifying information itself 
in generating an access ticket. 

[0097] Therefore, according to the method stated below, a safe access ticket issuing server stated in the eighth 
embodiment is not necessary: a user is allowed to generate an access ticket with a program executed on his own PC 
or workstation. That program doesn't contain any secret information or any secret algorithm. 
[0098] . The identifying information of a user U is the private key dy of an RSA public key pair. By (e y , r\ u ), the public 
key corresponding to the private key dy is denoted. Hence, n y = pyqy for two distinct large prime numbers p y and q U( 
and dy and ey are integers determined so as to satisfy the relations (64). 

1 < do < (pu - 1) (qu - 1) 
(64) 1 < eu < (pu - IMqu - 1) 

eudu « 1 mod (pu - 1) (qu - .1) 

[0099] Hereafter, the condition that n u is at least as large as a constant N common to all users is further assumed. 
[0100] An access ticket for a user U is composed as follows: the public key (E, n) of an RSA public key pair is taken 
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to be the public key of the access ticket to be generated; the private key D which is paired with this public key (E, n) 
is taken to be the secret key of the access ticket; when the prime factorization of n is n = pq, the relations 65 is 
established; finally, the access ticket ty is defined by the relation (66). 

(65) 1 ^ D < N 
DE = 1 mod(p-1)(q-1) 

(66) t u = D e u mod n u 

[0101] In the above composition, the unique security characteristic information for authentication process is the pri- 
vate key D. Same as the cases in the previous embodiments, a user succeeds in authentication procedures if and only 
if he is able to prove that he has means to calculate a right response to challenging data issued to him by a verification 
device: the calculated response is right only when it is calculated based on the unique security characteristic information 
D. 

[0102] The composition method presented in this embodiment is characterized by the property that an access ticket 
is encryption of the unique security characteristic information D and the user identifying information is the unique de- 
cryption key to obtain D from the access ticket. In addition, since the user identifying information is the private key of 
an RSA key pair, anybody who is allowed to know the public key paired with the private key can generate an access 
ticket for the user at will. 

[0103] Hereafter, the device composition and operation of the proving device 71 are described with reference to Fig. 
26. 

1 . A verification device 1 0 sends challenging data C to a challenging data storing means 711 of a proving device 71.. 

2. A decryption key generation means 712 of the proving device 71 acquires user identifying information du which 
is stored in a user identifying information storing means 715 and an access ticket ty which is stored in an access 
ticket storing means 713, and then calculates D' according to the relation (67). 

(67) D' = tu dU mod n v 

3. On input of D' calculated by the decryption key generation means 71 2 and the challenging data C stored in the 
challenging data storing means 711, a response generation means 714 of the proving device 71 calculates a 
response R according to the relation (68). The calculated response R is returned to the verification device 1 0. 

(68) R = C D ' mod n 

4. The verification device 10 verifies the legitimacy of the response R. 

[0104] The access ticket secret key D in the definition of the access ticket i u = D e u mod n u must be kept secret to 
the user U. Therefore, the user identifying information storing means 713, the decryption key generation means 712 
and the response generation means 71 4 are to be incorporated in a defense means 760 which is a tamper-resistant 
hardware. 

[0105] The same as the cases of the previous embodiments, the verification device authenticates access rights of 
the user if arid only if he has the right pair of the ticket ty and the user identifying information e. 

Tenth Embodiment 

[01 06] A tenth embodiment is substantially the same as the ninth embodiment, except that a response R is calculated 
using a symmetric key cipher instead of using the RSA public key cryptography as in the ninth embodiment and an 
access ticket is RSA-encryption of the decryption key (same as the encryption key) D of the symmetric key cipher. As 
the encryption key to generate the access ticket, the public key (eg, n y ) and the RSA algorithm is used. 
[0107] When the encryption function of the symmetric key encryption is expressed as Encrypt (key, plain message: 
the output of this function being the cipher message of the plain message which is the second argument of the function) 
and the decryption function is expressed as Decrypt (key, cipher message: the output being the plain message corre- 
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sponding to the cipher message which is the second argument of the function), the challenging data C is defined by 
relation (69). 

(69) C = Encrypt (D, K) 
[0108] Furthermore, the access ticket tU is defined by the relation (70). 

(70) t y = D eU mod n u 

[0109] Hereafter, the operation of the proving device 11 is described with reference to Fig. 26. 

1 . A verification device 1 0 sends challenging data C to a challenging data storing means 711 . 

2. A decryption key generation means 712 of the proving device 11 acquires user identifying information 6 U which 
is stored in a user identifying information storing means 715 and an access ticket t u which is stored in an access 
ticket storing means 713, and then calculates D 1 according to the relation (71). 

(71) D' = \ u dU modn u 

3. On input of D' calculated by the decryption key generation means 712 and the challenging data C stored in the 
challenging data storing means 711, a response generation means 714 of the proving device 11 calculates a 
response R according to the relation (72). The calculated response R is sent back to the verification device 1 0. 

(72) R = Decrypt (D 1 C) 

4. The verification device 1 0 verifies the legitimacy of the response R. 

[0110] The foregoing description of preferred embodiments of this invention has been presented for purposes of 
illustration and description. It is not intended to be exhaustive or to limit the invention to the precise form disclosed, 
and modifications and variations are possible in light of the above teachings or may be acquired from practice of the 
invention. The embodiments were chosen and described in order to explain the principles of the invention and its 
practical application to enable one skilled in the art to utilize the invention in various embodiments and with various 
modifications as are suited to the particular use contemplated. It is intended that the scope of the invention be defined 
by the claims appended hereto. 



Claims 

1. A device for authenticating user's access rights to resources comprising: 

first memory means (111) for storing challenging data (18); 

second memory means (115) for storing user unique identifying information (16); 

third memory means (113) for storing proof support information (13) which is a result of executing predeter- 
mined computations to the user unique identifying information (16) and unique security characteristic infor- 
mation (1 4) of the device; 

response generation means (116) for generating a response (19) from the challenging data (18) stored in the 
first memory means (111), the user unique identifying information (16) stored in the second memory means 
(115), and the proof support information (13) stored in the third memory means (113); and 
verification means (106) for verifying the legitimacy of the response (19) by verifying that the response (19), 
the challenging data (1 8) and the unique security characteristic information (1 4) of the device satisfy a specific 
predefined relation. 

2. The device for authenticating user's access rights to resources of claim 1 further comprising: 

protect means (160) for preventing any data inside from being observed or being tampered with from the 
outside, at least confining the second memory means (115) and the response generation means (116). 
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3. The device for authenticating user's access rights to resources of claim 1 , wherein 

at least the second memory means (115) and the response generation means (116) are implemented within 
a small portable device such as a smart card. 

4. The device for authenticating user's access rights to resources of any of claims 1 through 3, wherein 

the response generation means (116) comprises: 

first calculation means (712) for replaying the unique security characteristic information (1 4) of the device by 
executing predetermined calculations to the user unique identifying information (1 6) stored in the second mem- 
ory means (115) and the proof support information (13) stored in the third memory means (113); and 
second calculation means (714) for generating a response by executing predetermined calculations to the 
challenging data (1 8) stored in the first memory means (111) and the unique security characteristic information 
(1 4) of the device replayed by the first calculation means (71 2). . 

5. The device for authenticating user's access rights to resources of any of claims 1 through 3, wherein 

the response generation means (116) comprises: 

third calculation means (112) for generating first intermediate information by executing predetermined calcu- 
lations to the challenging data stored in the first memory means and the proof support information stored in 
the third memory means; 

fourth calculation means (114) for generating second intermediate information by executing predetermined 
calculations to the challenging data (1 8) stored in the first memory means (111 ) and the user unique identifying 
information (16) stored in the second memory means (115); and 

fifth calculation means (116) for generating a response by executing predetermined calculations to the first 
intermediate information generated by the third calculation means (112) and the second intermediate infor- 
mation generated by the fourth calculation means (114). 

6. The device for authenticating user's access rights to resources of claim 5, further comprising: 

protect means (160) for preventing any data inside from being observed or being tampered with from the 
outside, at least confining the second memory means (115) and the fourth calculation means (114). 

7. The device for authenticating user's access rights to resources of claim 5, wherein 

at least the second memory means (115) and the fourth calculation means (114) are implemented within a 
portable device such as a smart card. 

8. The device for authenticating user's access rights to resources of any of claims 1 through ^, wherein 

the unique security characteristic information (14) of the device is a decryption key of a cipher function, 
the challenging data (18) is encryption of information using the cipher function with the encryption key corre- 
sponding to the decryption key, and 

the verification means (106) verifies the legitimacy of the response by verifying that the response (19) gener- 
ated by the response generation means (116) is identical with decryption of the challenging data with the 
decryption key. 

9. The device for authenticating user's access rights to resources of any of claims 1 through 7, wherein 

the unique security characteristic information (14) of the device is an encryption key of a cipher function, and 
the verification means (106) verifies the legitimacy of the response by verifying that the response (19) gener- 
ated by the response generation means (116) is identical with encryption of the challenging data with the 
encryption key. 

10. The device for authenticating user's access rights to resources of any of claims 1 through 7, wherein 

the characteristic information (14) of the device is the signature key of a digital signature function, and 
the verification means (106) verifies the legitimacy of the response by verifying that the response (19) gener- 
ated by the response generation means (116) is identical with the digital signature for the challenging data, 
which is calculated with the signature key. 
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11. The device for authenticating user's access rights to resources of claim 8 or 9, wherein 

the cipher function is of the asymmetric key cryptography, and 

the unique security characteristic information (1 4) of the device is one component of the key pair of the cipher 
function. 

12. The device for authenticating user's access rights to resources of claim 11 , wherein 

the cipher function is of the public key cryptography, and 

the unique security characteristic information (14) of the device is the private key of the public key pair of the 
cipher function. 

13. The device for authenticating user's access rights to resources of claim 8 or 9, wherein 

the cipher function is of the symmetric key cryptography, and 

the unique security characteristic information (14) of the device is the common key of the cipher function. 

14. The device for authenticating user's access rights to resources of any of claims 1 through 13, further comprising: 

a proving device (1 1 ) having the first memory means (111), the second memory means (115), the third memory 
means (113) and the response generation means (116); and 

a verification device (10) having fourth memory means for storing the challenging data (18), fifth memory 
means (105) for storing the response (1 9) and the verification means (1 06), wherein 
the verification device (10) transfers the challenging data (18) stored in the fourth memory means to the first 
memory means (111) of the proving device (1 1 ), the proving device (11) transfers the response (1 9) generated 
by the response generation means (116) to the fifth memory means (105) of the verification device (1 0), and 
the verification means (1 06) of the verification device (10) verifies the legitimacy of the response stored in the 
fifth memory means (105). 

15. The device for authenticating user's access rights to resources of claim 14, wherein 

the unique security characteristic information (14) of the device is an encryption key of a cipher function, 
the verification device (10) comprises random number generation means (102) for generating a random 
number and for storing it in the fourth memory means, and 

the verification means (106) verifies the legitimacy of the response by verifying that the response stored in the 
fifth memory means (105) is identical with encryption of the challenging data stored in the fourth memory 
means (103) with the encryption key. 

16. The device for authenticating user's access rights to resources of claim 14, wherein 

the unique security characteristic information (14) of the device is a decryption key of a cipher function, 
the verification device (10) comprises random number generation means (102) for generating a random 
number, sixth memory means ( 103) for storing the generated random number and seventh memory means 
(122) for storing a seed for challenging data, and wherein 

the random number generation means (1 02) stores the generated random number in the sixth memory means 
(103) while randomizing the seed for the challenging data stored in the seventh memory means (122) by 
executing predefined calculations to the random number stored in the sixth memory means (1 03) and the seed 
stored in the seventh memory means (122) and then storing the randomized seed as challenging data in the 
fourth memory means, and 

the verification means (106) of the verification device (10) de-randomizes the response stored in the fifth 
memory means (105) by executing predefined calculations to the random number stored in the sixth memory 
means (103) and the response stored in the fifth memory means (105), and then verifies the legitimacy of the 
de-randomized response by verifying that the de-randomized result is identical with decryption of the seed 
stored in the seventh memory means (122) with the decryption key which is the unique security characteristic 
information (14) of the device. 

17. The device for authenticating user's access rights to resources of claim 14, wherein 
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the unique security characteristic information (14) of the device is the signature key of a digital signature 
function, and 

the verification device (10) comprises random number generation means (102) for generating a random 
number and storing the generated random number as challenging data in the fourth memory means, and 
wherein 

the verification means (106) of the verification device (10) verifies the legitimacy of the response by verifying 
that the response stored in the fifth memory means (1 05) is identical with the digital signature for the challenging 
data stored in the fourth memory means, which is calculated with the signature key which is the unique security 
characteristic information (14) of the device. 

18. The device for authenticating user's access rights to resources of claim 15, wherein 

the unique security characteristic information (14) of the device is the private key D of an RSA public key pair 
with a modulus n, and 

the verification means (106) verifies the legitimacy of the response by verifying that the E-th power of the 
response R stored in the fifth memory means (1 05), where E denotes the public key associated with the private 
key D, is congruent with the challenging data C stored in the fourth memory means modulo n, i.e. R E mod n 
= C mod n. 

19. The device for authenticating user's access rights to resources of claim 1 6, wherein 

the unique security characteristic information (1 4) of the device is the private key D of an RSA public key pair 
with a modulus n, 

a seed C for challenging data stored in the seventh memory means (1 22) is an RSA-encryption of data K with 
the public key E of the RSA public key pair, i.e. DE mod <t>(n) = 1 , C = K E mod n, 

a random number r generated by the random number generation means (1 02) is stored in the sixth memory 
means (103), 

challenging data C generated and stored in the fourth memory means satisfies the relation C = i^C mod n, and 
the verification means (106) verifies the legitimacy of the response R stored in the fifth memory means (105) 
by verifying that the quotient of R divided by r modulo n is congruent with the data K modulo n, i.e. K mod n 
= r 1 R mod n. 

20. The device for authenticating user's access rights to resources of claim 18 or 19, wherein 

a proof support information t (13) stored in the third memory means (113) satisfies the relation t = D - e + w § 
(n), where e denotes user unique identifying information (16) stored in the second memory means (115), w 
denotes a conflict-free random number determined dependent upon both n and e and <}>(n) denotes the Euler 
number of n, and 

the response generated by response generation means (116) is identical with the D-th power of challenging 
data C stored in the first memory means (111 ) modulo n, i.e. R = C D mod n. 

21. The device for authenticating user's access rights to resources of claim 20, wherein 

the response generation means (116) further comprises: 

third calculation means (112) for calculating the t-th power of challenging data C stored in the first memory 
means (111) modulo n, i.e. O mod n, where t denotes proof support information (13) stored in the third memory 
means (113); 

fourth calculation means (114) for calculating the e-th power of the challenging data C modulo n, i.e. C e mod 
n, where e denotes user unique identifying information (16) stored in the second memory means (115); and 
fifth calculation means (116) for calculating a response R by multiplying the result calculated by the third cal- 
culation means (112) by the result calculated by the fourth calculation means (114) modulo n, i.e. R = C f C e 
mod n. 

22. The device for authenticating user's access rights to resources of claim 21 , further comprising: 

protect means (1 60) for preventing any data inside from being observed or being tampered with from the 
outside, confining the second memory means (115) and the fourth calculation means (114). 

23. The device for authenticating user's access rights to resources of claim 18 or 19, wherein 
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proof support information t (13) stored in the third memory means (113) satisfies the relation t = D + F(n, e), 
where e denotes user unique identifying information (16) stored in the second memory means (115), and F(x, 
y) denotes a two-variable collision-free function, and 

a response generated by the response generation means (116) is identical with the D-th power of challenging 
data C stored in the first memory means (111 ) modulo n, i.e. R = C D mod n. 

24. The device for authenticating user's access rights to resources of claim 23, wherein 

the response generation means (116) further comprises: 

third calculation means (112) for calculating the t-th power of challenging data C stored in the first memory 
means (111 ) modulo n, where t denotes the proof support information (13) stored in the third memory means 
(113), i.e. C* mod n; 

fourth calculation means (114) for calculating the F(n, e)-th power of the challenging data C modulo n, i.e. 
C F ( n e ) mod n, where e denotes the user unique identifying information (16) stored in the second memory 
means (115) and F(x, y) denotes a two-variable collision-free function; and 

fifth calculation means (116) for calculating a response R by dividing the result calculated by the third calculation 
means (1 1 2) by the result calculated by the fourth calculation means (114) modulo n, i.e. R = C* C _F ( n - e ) mod n. 

25. The device for authenticating user's access rights to resources of claim 24, further comprising: 

protect means (160) for preventing any data inside from being observed or being tampered with from the 
outside, confining the second memory means (115) and the fourth calculation means (114). 

26. The device for authenticating user's access rights to resources of claim 1 5, wherein 

the unique security characteristic information (14) of the device is a key D of a Pohlig-Hellman key pair of a 
modulus p, and 

the verification means (106) verifies the legitimacy of the response by verifying that the E-th power of the 
response R stored in the fifth memory means (105), where E denotes the counterpart key of the key D, i.e. 
DE mod (p-1) = 1 , is congruent with the challenging data C stored in the fourth memory means modulo p, i.e. 
R E mod p = C mod p. 

27. The device for authenticating user's access rights to.resources of claim 16, wherein 

the unique security characteristic information (14) of the device is a key D of a Pohlig-Hellman key pair of a 
modulus p, 

a seed C for challenging data stored in the seventh memory means (422) is Pohlig-Hellman-encryption of 
data K with the counterpart key E of the key D, i.e. DE mod (p-1) = 1 , C = K E mod p, 
a random number r generated by the random number generation means (402) is stored in the sixth memory 
means (403), 

challenging data C stored in the fourth memory means satisfies the relation C = mod p, and 
the verification means (106) verifies the legitimacy of the response R stored in the fifth memory means (405) 
by verifying that the quotient of R divided by r modulo p is congruent with the data K modulo p, i.e. K mod p 
= r 1 R mod p. 

28. The device for authenticating user's access rights to resources of claim 26 or 27, wherein 

proof support information t (13) stored in the third memory means (413) satisfies the relation t = D + F(p, e), 
where e denotes the user unique identifying information (1 6) stored in the second memory means (415), and 
F(x, y) denotes a two-variable collision-free function, and 

a response generated by the response generation means (416) is identical with the D-th power of challenging 
data C stored in the first memory means (411) modulo p, i.e. R = C D mod p. 

29. The device for authenticating user's access rights to resources of claim 28, wherein 

the response generation means (416) further comprises: 

third calculation means (412) for calculating the t-th power of challenging data C stored in the first memory 
means (411) modulo p, where t denotes the proof support information (13) stored in the third memory means 
(413), i.e. C x mod p; 
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fourth calculation means (414) for calculating the F(p, e)-th power of the challenging data C modulo p, i.e. 
C F (P- e ) mod p, where e denotes the user unique identifying information (16) stored in the second memory 
means (415) and F(x, y) denotes a two-variable collision-free function; and 

fifth calculation means (416) for calculating a response R by dividing the result calculated by the third calcu- 
5 lation.means (41 2) by the result calculated by the fourth calculation means (41 4) modulo p, i.e. R = C* C- F (P- e > 

mod p. 

30. The device for authenticating user's access rights to resources of claim 29, further comprising: 

protect means (160) for preventing any data inside from being observed or being tampered with from the 
■io outside, confining the second memory means (415) and the fourth calculation means (414). 

31. The device for authenticating user's access rights to resources of claim 16, wherein 

the unique security characteristic information (14) of the device is the private key X of an EIGamal public key 

15 pair with a modulus p and a generator G, 

the public key Y corresponding to X is the X-th power of G modulo p, i.e. Y = G x mod p, 

u denotes the z-th power of G modulo p (u = G z mod p) for a random number z, 

K' denotes the product modulo p of the z-th power of Y modulo p and a data K, i.e. K' = Y 2 K mod p, 

the seventh memory means (522) retains the pair of u and K', 

20 a random number r generated by the random number generation means (602) is stored in the sixth memory 

means (603), 

C denotes the product modulo p of K' and r, i.e. C = rK' mod p, 
the fourth memory means retains the pair C and u, and 

the verification means (106) verifies the legitimacy of the response R stored in the fifth memory means (505) 
25 by verifying that the quotient of R divided by r modulo p is congruent with K modulo p, i.e. K mod p = r 1 R mod p. 

32. The device for authenticating user's access rights to resources of claim 31 , wherein 

proof support information t (13) stored in the third memory means (513) satisfies the relation t = D + F(p, e), 
30 where e denotes the user unique identifying information (1 6) stored in the second memory means (515) and 

F(x, y) denotes a two-variable collision-free function, and 

a response R generated by the response generation means (516) is identical with the quotient of C divided 
by X-th power of u modulo p, i.e. R = u* x C mod p, where the pair C and u is the challenging data stored in the 
first memory means (511). 

35 

33. The device for. authenticating user's access rights to resources of claim 32, wherein 

the response generation means (516) further comprises: 

third calculation means (512) for calculating the t-th power of the component u of the challenging data pair 
40 stored in the first memory means (511) modulo p, where t denotes proof support information stored in the third 

memory means (513), i.e. u* mod p; 

fourth calculation means (514) for calculating the F(p, e)-th power of u modulo p } i.e. u F <P' e > mod p, where e 
denotes the user unique identifying information (16) stored in the second memory means (515) and F(x, y) 
denotes a two-variable collision-free function; and 
45 fifth calculation means (51 6) for calculating a response R by dividing the product of the other component C of 

the challenging data pair and the result calculated by the fourth calculation means (51 4) by the result calculated 
by the third calculation means (512) modulo p, i.e. R = Cu F (P- e ) u _t mod p. 

34. The device for authenticating user's access rights to resources of claim 33, further comprising: 

so protect means (160) for preventing any data inside from being observed or being tampered with from the 

outside, confining the second memory means (515) and the fourth calculation means (514). 

35. The device for authenticating user's access rights to resources of claim 17, wherein 

55 the unique security characteristic information (14) of the device is the signature key X of an EIGamal public 

key pair with a modulus p and a generator G, 

the public key Y corresponding to X is the X-th power of G modulo p, i.e. Y = G* mod p, 
a response stored in the fifth memory means (605) is a pair of R and S, and 
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the verification means (606) verifies the legitimacy of the response R stored in the fifth memory means (605) 
by verifying that the C-th power of G for the challenging data C stored in the fourth memory means is congruent 
modulo p with the product of the R-th power of Y and the S-th power of R, i.e. G c mod p = Y R R S mod p. 

36. The device for authenticating user's access rights to resources of claim 35, wherein 

proof support information t (13) stored in the third memory means (613) satisfies the relation t = D + F(p, e), 
where e denotes the user unique identifying information (16) stored in the second memory means (616), and 
F(x, y) denotes a two-variable collision-free function, and 

the response generation means (116) generates a response pair R and S by carrying out the following steps of: 
generating a random number k; 

calculating R as the k-th power of G modulo p, i.e. R = G k mod p; and 
calculating S according to the relation S = (C - RX) k~ 1 mod (p-1 ). 

37. The device for authenticating user's access rights to resources of claim 36, further comprising: 

protect means (160) for preventing any data inside from being observed or being tampered with from the 
outside, confining the second memory means (616) and the fourth calculation means (614). 

38. The device for authenticating user's access rights to resources of claim 4, wherein 

the user unique identifying information (1 6) stored in the second memory means (715) is a decryption key of 
a cipher function, 

the proof support information (13) stored in the third memory means (713) is an encryption of the unique 
security characteristic information of the device with the encryption key corresponding the decryption key, and 
the first calculation means (71 2) calculates the unique security characteristic information (1 4) of the device by 
decrypting the proof support information stored in the third memory means (71 3) with the decryption key stored 
in the second memory means (715). 

39. The device for authenticating user's access rights to resources of claim 38, wherein 

the cipher function is of the asymmetric key cryptography, and 

the user unique identifying information (16) is a component of the key pair of the cipher function. 

40. The device for authenticating user's access rights to resources of claim 39, wherein 

the cipher function is of the public key cryptography, and 

the user unique identifying information (16) is the private key of the public key pair of the cipher function. 

41. The device for authenticating user's access rights to resources of claim 38, wherein 

the cipher function is of the symmetric key cryptography, and 

the user unique identifying information (16) is the common secret key of the cipher function. 

42. The device for authenticating user's access rights to resources of claim 8 or 1 6, wherein 

the verification device (1 0) further comprises: 

eighth memory means (31 0a) for storing a clear data encryption of which is the challenging data or the seed 
for challenging data stored in the first memory means (111); and 

comparison means (310b) for examining whether the clear data stored in the eighth memory means (310a) 
is identical with data inputted to the comparison means (310b), and wherein 

the verification means (1 06) feeds the response or the de-randomized value of the response stored in the fifth 
memory means (105) to the comparison means (310b), receives the answer from the comparison means 
(310b), and thereby the verification means (106) verifies the legitimacy of the response if and only if the re- 
ceived answer shows that the clear data stored in the eighth memory means (310a) is identical with the data 
inputted to the comparison means (31 0b). 

43. The device for authenticating user's access rights to resources of claim 8 or 1 6, wherein 
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the verification device (10) further comprises: 

ninth memory means (31 0a) for storing a value obtained by applying a one-way function to clear data encryption 
of which is the challenging data or the seed for challenging data stored in the seventh memory means (122); 
sixth calculation means (31 0c) for outputting a value calculated by applying the one-way function to an inputted 
data; and 

comparison means (310b) for examining whether the value stored in the ninth memory means (310a) is iden- 
tical with data inputted to the comparison means (310b), and wherein 

the verification means (106) feeds the response or the de-randomized value of the response to the sixth cal- 
culation means (310c), receives a result from the sixth calculation means (31 0c), feeds the result to the com- 
parison means (31 0b) and receives an answer from the comparison means (31 0b), and thereby the verification 
means (106) verifies the legitimacy of the response if and only if the received answer shows that the result of 
the calculation by the sixth calculation means (310c) is identical with the data stored in the ninth memory 
means (310a). 

44. The device for authenticating user's access rights to resources of claim 8 or 16, wherein 

the verification device (10) further comprises: 

program execution means (31 0) for executing code of a program encryption of which is the challenging data 
stored in the seventh memory means (122), and wherein 

the verification means (106) feeds the response stored in the fifth memory means (105) as program code to 
the program execution means (310), and 

the program execution means (310) correctly functions if and only if the response generation means (116) 
correctly decrypts the challenging data which is an encryption of the code of the program, that is, the encryption 
of the program is correctly decrypted. 

45. The device for authenticating user's access rights to resources of claim 8 or 16, wherein 

the verification device (10) further comprises: 

program execution means (310); 

program storing means (31 Og); and 

program decryption means (31 Oh), and wherein 

the program storing means (31 Og) stores code of a program a part or all of which is encrypted, 

an encryption of the decryption key for the partial or whole encrypted program code is the challenging data 

stored in the seventh memory means (122), 

the verification means (106) feeds the response to the program decryption means (31 Oh), 

the program decryption means (31 Oh) decrypts the program stored in the program storing means (31 Og) with 

the response as a decryption key, and 

the program execution means (310) correctly executes the decrypted program if and only if the response 
generation means (116) correctly decrypts the challenging data, that is, the decryption key for decrypting the 
encryption of the program is correctly decrypted. 

46. The device for authenticating user's access rights to resources of claim 1 4, wherein 

the proving device (11 ) and the verification device (10) are installed in a box material, and 
the verification device (10) transfers the challenging data (18) stored in the fourth memory means to the first 
memory means (111) of the proving device (11) and the proving device (11) transfers the response (19) gen- 
erated by the response generation means (1 1 6) to the fifth memory means (1 05) of the verification device (1 0) 
without using a communication network outside of the box material. 

47. A method for authenticating user's access rights to resources by verifying the legitimacy of a response generated 
from challenging data for proving the user's access rights, comprising: 

a step for storing the challenging data; 

a step for storing user unique identifying information; 

a step for storing proof support information which is a result of predetermined computations to the user unique 
identifying information and unique security characteristic information; 

a step for generating a response by executing predetermined computations to the challenging data, the user 
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unique identifying information and the proof support information; and 

a step for verifying the legitimacy of the response by verifying that the response, the challenging data and the 
unique security characteristic information satisfy a specific predefined relation. 

48. A computer program product for use with a computer, the computer program product comprising: 

a computer usable medium having computer readable program code means embodied in the medium for 
causing the computer to generate a response (19) from challenging data (18), the legitimacy of which is to be 
verified for authenticating user's access rights, the computer program product having: 

computer readable program code means for causing the computer to store the challenging data (18); 
computer readable program code means for causing the computer to store user unique identifying information 
(16); 

computer readable program code means for causing the computer to store proof support information (13) 
which is a result of predetermined computations to the user unique identifying information (16) and unique 
security characteristic information (14); and 

computer readable program code means for causing the computer to generate a response (19) by executing 
predetermined computations to the challenging data (18), the user unique identifying information (16) and the 
proof support information (13). 

49. The computer program product of claim 48, comprising: 

computer readable program code means for causing the computer to verify the legitimacy of the response 
(1 9) by verifying that the response ( 1 9), the challenging data (1 8) and the unique security characteristic information 
(14) satisfy a specific predefined relation. 

50. A program execution control device for authenticating user's access rights to resources by verifying the legitimacy 
of a response generated from challenging data for proving the user's access rights and controlling execution of a 
program based on the authentication of the user's access rights, comprising a device as defined in any one of 
claims 1 to 46 and 

continuation means for continuing execution of the program if the legitimacy of the response is verified. 

51. An information processing apparatus for authenticating user's access rights to specific information processing 
resources by verifying the legitimacy of a response (19) generated for proving the user's access rights and per- 
mitting access to the specific information processing resources, comprising a device as defined in any one of 
claims 1 to 46 and 

permission means for permitting access to the specific information processing resources if the legitimacy of 
the response is verified. 



Patentanspriiche 

1. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen, umfassend: 

eine erste Speicheranordnung (111) zum Speichern von Abfragedaten (18); 

eine zweite Speicheranordnung (115) zum Speichern einer eindeutigen Benutzerkennung (16); 

eine dritte Speicheranordnung (113) zum Speichern von Nachweisunterstutzungsinformation (13), die ein Er- 

gebnis der Ausfuhrung vorbestimmter Berechnungen an der eindeutigen Benutzerkennung (16) und eindeu- 

tiger Sicherheitskenninformation (14) der Vorrichtung ist; 

eine Antworterzeugungsanordnung (116) zum Erzeugen einer Antwort (19) aus den in der ersten Speicher- 
anordnung (111) gespeicherten Abfragedaten (18), der in der zweiten Speicheranordnung (115) gespeicherten 
eindeutigen Benutzerkennung (16) und der in derdritten Speicheranordnung (113) gespeicherten Nachweis- 
unterstutzungsinformation (13); und 

eine Verifikationsanordnung (1 06) zum Verifizieren der Richtigkeit der Antwort (1 9) durch Verifizieren, daB die 
Antwort (19), die Abfragedaten (18) und die eindeutige Sicherheitskenninformation (14) der Vorrichtung eine 
spezielle vordefinierte Relation erfullen. 

2. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 1, ferner umfas- 
send: 

eine Schutzanordnung (160) zum Verhindern, daB irgendwelche Daten in ihr von auBen einsehbar Oder 
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manipulierbar sind, die zumindest die zweite Speicheranordnung (115) und die Antworterzeugungsanordnung 
(116) einschlieBt. 

3. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 1 , bei der 

s zumindest die zweite Speicheranordnung (115) und die Antworterzeugungsanordnung (116) innerhalb einer 

kleinen tragbaren Vorrichtung wie einer Chipkarte implementiert sind. 

4. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach einem der Anspruche 1 bis 
3, bei der 

10 die Antworterzeugungsanordnung (116) umfaBt: 

eine erste Rechenanordnung (712) zum Wiedergeben der eindeutigen Sicherheitskenninformation (14) der 
Vorrichtung durch Ausfuhren vorbestimmter Berechnungen an der in der zweiten Speicheranordnung (115) 
gespetcherten eindeutigen Benutzerkennung (1 6) und der in der dritten Speicheranordnung (113) gespeicher- 
15 ten Nachweisunterstutzungsinformation (13); und 

eine zweite Rechenanordnung (714) zum Erzeugen einer Antwort durch Ausfuhren vorbestimmter Berech- 
nungen an den in der ersten Speicheranordnung (111) gespeicherten Abfragedaten (18) und der von der 
ersten Rechenanordnung (712) wiedergegebenen eindeutigen Sicherheitskenninformation (14) der Vorrich- 
tung. 

20 

5. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach einem der Anspruche 1 bis 
3, bei der 

die Antworterzeugungsanordnung (116) umfa3t: 

25 eine dritte Rechenanordnung (1 1 2) zum Erzeugen einer ersten Zwisch en information durch Ausfuhren vorbe- 

stimmter Berechnungen an den in der ersten Speicheranordnung gespeicherten Abfragedaten und der in der 
dritten Speicheranordnung gespeicherten Nachweisunterstutzungsinformation; 

eine vierte Rechenanordnung (114) zum Erzeugen einer zweiten Zwischeninformation durch Ausfuhren vor- 
bestimmter Berechnungen an den in der ersten Speicheranordnung (111) gespeicherten Abfragedaten (18) 
30 und der in der zweiten Speicheranordnung (115) gespeicherten eindeutigen Benutzerkennung (16); und 

eine funfte Rechenanordnung (116) zum Erzeugen einer Antwort durch Ausfuhren vorbestimmter Berechnun- 
gen an der durch die dritte Rechenanordnung (112) erzeugten ersten Zwischeninformation und der durch die 
vierte Rechenanordnung (114) erzeugten zweiten Zwischeninformation. 

35 6. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 5, des weiteren 
umfassend: 

eine Schutzanordnung (160) zum Verhindern, daf3 irgendwelche Daten in ihr von auBen einsehbar oder 
manipulierbar sind, die zumindest die zweite Speicheranordnung (115) und die vierte Rechenanordnung (114) 
einschlieBt. 

40 

7. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 5, bei der 

zumindest die zweite Speicheranordnung (1 1 5) und die vierte Rechenanordnung (114) innerhalb einer trag- 
baren Vorrichtung wie einer Chipkarte implementiert sind. 

45 8. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach einem der Anspruche 1 bis 
7, bei der 

die eindeutige Sicherheitskenninformation (14) der Vorrichtung ein Entschlusselungsschlussel einer Ver- 
schlusselungsfunktion ist, 

50 die Abfragedaten (18) eine Verschlusselung von Information unter Verwendung der Verschlusselungsfunktion 

mit dem Verschlusselungsschlussel entsprechend dem Entschlusselungsschlussel sind und 
die Verifikationsanordnung (106) die Richtigkeit der Antwort verifiziert, indem verifiziert wird, daB die von der 
Antworterzeugungsanordnung (116) erzeugte Antwort (19) identisch mit der Entschlusselung der Abfrageda- 
ten mit dem Entschlusselungsschlussel ist. 

55 

9. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach einem der Anspruche 1 bis 
7, bei der 
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die eindeutige Sicherheitskenninformation (14) der Vorrichtung ein Verschlusselungsschlussel einer Ver- 
schlusselungsfunktion ist und 

die Verifikationsanordnung (106) die Richtigkeit der Antwort verifiziert, indem verifiziert wird, da(3 die von der 
Antworterzeugungsanordnung (116) erzeugte Antwort (19) identisch mit der Verschlusselung der Abfrageda- 
ten mit dem Verschlusselungsschlussel ist. 

10. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach einem der Anspruche 1 bis 
7, bei der 

die Kenninformation (14) der Vorrichtung der Signaturschlussel einer digitalen Signaturfunktion ist und 
die Verifikationsanordnung (106) die Richtigkeit der Antwort verifiziert, indem verifiziert wird, daB die von der 
Antworterzeugungsanordnung (116) erzeugte Antwort (19) identisch mit der digitalen Signatur fur die Abfra- 
gedaten ist, die mit dem Signaturschlussel berechnet wird. 

11. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 8 oder 9, bei der 

die Verschlusselungsfunktion aus der Kryptographie mit asymmetrischem Schlussel stammt und 
die eindeutige Sicherheitskenninformation (1 4) der Vorrichtung eine Komponente des Schlusselpaars der Ver- 
schlusselungsfunktion ist. 

12. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 11, bet der 

die Verschlusselungsfunktion aus der Kryptographie mit bffentlichem Schlussel stammt und 

die eindeutige Sicherheitskenninformation (14) der Vorrichtung der private Schlussel des Paars mit offentli- 

chem Schlussel der Verschlusselungsfunktion ist. 

13. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 8 oder 9, bei der 

die Verschlusselungsfunktion aus der Kryptographie mit symmetrischem Schlussel stammt und 
die eindeutige Sicherheitskenninformation (14) der Vorrichtung der gemeinsame Schlussel der Verschlusse- 
lungsfunktion ist. 

14. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach einem der Anspruche 1 bis 
13, ferner umfassend: 

eine Nachweisvorrichtung (11), welche die erste Speicheranordnung (111), die zweite Speicheranordnung 
(115), die dritte Speicheranordnung (113) und die Antworterzeugungsanordnung (116) enthalt; und 
eine Verifikationsvorrichtung (10), welche eine vierte Speicheranordnung zum Speichern der Abfragedaten 
(18), eine funfte Speicheranordnung (105) zum Speichern der Antwort (19) und die Verifikationsanordnung 
(106) enthalt, wobei 

die Verifikationsvorrichtung (10) die in der vierten Speicheranordnung gespeicherten Abfragedaten (18) an 
die erste Speicheranordnung (111) der Nachweisvorrichtung (11) ubertragt, die Nachweisvorrichtung (11) die 
von der Antworterzeugungsanordnung (116) erzeugte Antwort (19) an die funfte Speicheranordnung (105) 
der Verifikationsvorrichtung (10) ubertragt und die Verifikationsanordnung (106) der Verifikationsvorrichtung 
(10) die Richtigkeit der in derfunften Speicheranordnung (105) gespeicherten Antwort verifiziert. 

15. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 14, bei der 

die eindeutige Sicherheitskenninformation (14) der Vorrichtung ein Verschlusselungsschlussel einer Ver- 
schlusselungsfunktion ist, 

die Verifikationsvorrichtung (10) eine Zufallszahlerzeugungsanordnung (102) zum Erzeugen einer Zufallszahl 
und zu deren Speicherung in der vierten Speicheranordnung umfaBt und 

die Verifikationsanordnung (106) die Richtigkeit der Antwort verifiziert, indem verifiziert wird, daB die in der 
funften Speicheranordnung (105) gespeicherte Antwort identisch mit der Verschlusselung der in der vierten 
Speicheranordnung (103) gespeicherten Abfragedaten mit dem Verschlusselungsschlussel ist. 

16. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 14, bei der 
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die eindeutige Sicherheitskenninformation (14) der Vorrichtung ein Entschlusselungsschlussel einer Ver- 
schlusselungsfunktion ist, 

die Verifikationsvorrichtung (1 0) eine Zufallszahlerzeugungsanordnung (1 02) zum Erzeugen einer Zufallszaht, 
eine sechste Speicheranordnung (103) zum Speichern der erzeugten Zufallszahl und eine siebte Speicher- 

5 anordnung (122) zum Speichern eines Startparameters fur Abfragedaten umfaGt, und bei der 

die Zufallszahlerzeugungsanordnung (102) die erzeugte Zufallszahl in dersechsten Speicheranordnung (103) 
speichert, wahrend der in der siebten Speicheranordnung (1 22) gespeicherte Startparameter fur die Abfrage- 
daten durch Ausfuhren vordefinierter Berechnungen an der in der sechsten Speicheranordnung (1 03) gespei- 
cherten Zufallszahl und dem in der siebten Speicheranordnung (122) gespeicherten Startparamter randomi- 

10 siert wird und dann der randomisierte Startparameter als Abfragedaten in der vierten Speicheranordnung 

gespeichert wird, und 

die Verifikationsanordnung (106) der Verifikationsvorrichtung (10) die in derfunften Speicheranordnung (105) 
gespeicherte Antwort durch Ausfuhren vorbestimmter Berechnungen an der in der sechsten Speicheranord- 
nung (103) gespeicherten Zufallszahl und der in derfunften Speicheranordnung (105) gespeicherten Antwort 
is de-randomisiert und dann die Richtigkeit der de-randomisierten Antwort verifiziert, indem verifiziert wird, daB 

das de-randomisierte Ergebnis identisch mit der Entschlusselung des in der siebten Speicheranordnung (1 22) 
gespeicherten Startparameters mit dem Entschlusselungsschlussel ist ? der die eindeutige Sicherheitskennin- 
formation (14) der Vorrichtung ist. 

20 17. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 14, bei der 

die eindeutige Sicherheitskenninformation (14) - der Vorrichtung der Signaturschliissel einer digitalen Signa- 
turfunktion ist und 

die Verifikationsvorrichtung (10) eine Zufallszahlerzeugungsanordnung (102) zum Erzeugen einer Zufallszahl 
25 und zum Speichern der erzeugten Zufallszahl als Abfragedaten in der vierten Speicheranordnung umfaf3t, und 

bei der 

die Verifikationsanordnung (1 06) der Verifikationsvorrichtung (1 0) die Richtigkeit der Antwort verifiziert, indem 
verifiziert wird, daB die in der funften Speicheranordnung (1 05) gespeicherte Antwort identisch mit der digitalen 
Signaturfurdie in der vierten Speicheranordnung gespeicherten Abfragedaten ist, die mit dem Signaturschlus- 
30 sel berechnet wird, der die eindeutige Sicherheitskenninformation (14) der Vorrichtung ist. 

18. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 15, bei der 

die eindeutige Sicherheitskenninformation (14) der Vorrichtung der private Schlussel D eines RSA-Paars mit 
35 offentlichem Schlussel mit einem Modul n ist und 

die Verifikationsanordnung (106) die Richtigkeit der Antwort verifiziert, indem verifiziert wird, daB die E-te 
Potenz der in der funften Speicheranordnung (105) gespeicherten Antwort R, wobei E den dem privaten 
Schlussel D zugeordneten offentlichen Schlussel bezeichnet, kongruent mit den in der vierten Speicheran- 
ordnung gespeicherten Abfragedaten C modulo n ist, d.h. R E mod n = C mod n. 

40 

19. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 16, bei der 

die eindeutige Sicherheitskenninformation (14) der Vorrichtung der private Schlussel D eines RSA-Paars mit 
offentlichem Schlussel mit einem Modul n ist, 

ein Startparameter C fur in der siebten Speicheranordnung (122) gespeicherte Abfragedaten eine RSA-Ver- 
schlusselung von Daten K mit dem offentlichen Schlussel E des RSA-Paars mit offentlichem Schlussel ist, d. 
h. DE mod 4>(n) = 1 , C = K E mod n, 

eine von der Zufallszahlerzeugungsanordnung (102) erzeugte Zufallszahl r in der sechsten Speicheranord- 
nung (103) gespeichert ist, 

so erzeugte und in der vierten Speicheranordnung gespeicherte Abfragedaten C die Relation C = r E C mod n 

erfullen, und 

die Verifikationsanordnung (106) die Richtigkeit der in der funften Speicheranordnung (105) gespeicherten 
Antwort R verifiziert, indem verifiziert wird, daB der Quotient R dividiert durch r modulo n kongruent mit den 
Daten K modulo n ist, d.h. K mod n = r 1 R mod n. 

55 

20. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 18 Oder 19, bei der 

in der dritten Speicheranordnung (113) gespeicherte Nachweisunterstutzungsinformation t (13) die Relation 
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t = D - e + w <f>(n) erfullt, wobei e eine in der zweiten Speicheranordnung (115) gespeicherte eindeutige Be- 
nutzerkennung (16) bezeichnet, w eine konfliktfreie Zufallszahl ist, die abhangig sowohl von n als auch e 
ermittelt wird, und <J>(n) die Euler-Zahl von n bezeichnet, und 

die von der Antworterzeugungsanordnung (116) erzeugte Antwort identisch mit der D-ten Potenz von in der 
ersten Speicheranordnung (111) gespeicherten Abfragedaten C modulo n ist, d.h., R = C D mod n. 

21. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 20, bei der 

die Antworterzeugungsanordnung (116) des weiteren umfaBt: 

eine dritte Rechenanordnung (112) zum Berechnen der t-ten Potenz von in der ersten Speicheranordnung 
(111) gespeicherten Abfragedaten C modulo n, d.h. C* mod n, wobei t in der dritten Speicheranordnung (113) 
gespeicherte Nachweisunterstutzungsinformation (13) bezeichnet; 

eine vierte Rechenanordnung (114) zum Berechnen der e-ten Potenz der Abfragedaten C modulo n, d.h. O 
mod n, wobei e eine in der zweiten Speicheranordnung (115) gespeicherte eindeutige Benutzerkennung (16) 
bezeichnet; und 

eine funfte Rechenanordnung (116) zum Berechnen einer Antwort R durch Multiplikation des von der dritten 
Rechenanordnung (112) berechneten Ergebnisses mit dem von der vierten Rechenanordnung (114) berech- 
neten Ergebnis modulo n, d.h. R = (X^ mod n. 

22. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 21, ferner umfas- 
send: 

eine Schutzanordnung (160) zum Verhindern, daB irgendwelche Daten in ihr von auBen einsehbar oder 
manipulierbar sind, welche die zweite Speicheranordnung (115) und die vierte Rechenanordnung (114) einschlieBt. 

23. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 18 oder 1 9, bei der 

in der dritten Speicheranordnung (113) gespeicherte Nachweisunterstutzungsinformation t (13) die Relation 
t = D + F(n, e) erfullt, wobei e eine in der zweiten Speicheranordnung (115) gespeicherte eindeutige Benut- 
zerkennung (16) bezeichnet und F(x, y) eine kollisionsfreie Funktion mit zwei Variablen bezeichnet, und 
eine von der Antworterzeugungsanordnung (116) erzeugte Antwort identisch mit der D-ten Potenz von in der 
ersten Speicheranordnung (111) gespeicherten Abfragedaten C modulo n ist, d.h. R = C D mod n. 

24. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 23, bei der 

die Antworterzeugungsanordnung (116) des weiteren umfaf3t: 

eine dritte Rechenanordnung (112) zum Berechnen der t-ten Potenz von in der ersten Speicheranordnung 
(111) gespeicherten Abfragedaten C modulo n, wobei t die in der dritten Speicheranordnung (113) gespeicherte 
Nachweisunterstutzungsinformation (13) bezeichnet, d.h. C* mod n; 

eine vierte Rechenanordnung (114) zum Berechnen der F(n, e)-ten Potenz der Abfragedaten C modulo n, d. 
h. C F ( n - e ) mod n, wobei e die in der zweiten Speicheranordnung (115) 

eine funfte Rechenanordnung (116) zum Berechnen einer Antwort R durch Dividieren des von der dritten 
Rechenanordnung (11 2) berechneten Ergebnisses durch das von der vierten Rechenanordnung (114) berech- 
nete Ergebnis modulo n, d.h. R = C x C- F ^~ e ) mod n. 

25. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 24, ferner umfas- 
send: 

eine Schutzanordnung (160) zum Verhindern, daf3 irgendwelche Daten in ihr von auBen einsehbar oder 
manipulierbar sind, welche die zweite Speicheranordnung (115) und die vierte Rechenanordnung (114) einschlieBt. 

26. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 15, bei der 

die eindeutige Sicherheitskenninformation (14) der Vorrichtung ein Schlussel D eines Pohiig-Hellman-Schlus- 
selpaars mit einem Modul p ist und 

die Verifikationsanordnung (106) die Richtigkeit der Antwort verifiziert, indem verifiziert wird, daB die E-te 
Potenz der in der funften Speicheranordnung (105) gespeicherten Antwort R, wobei E den Gegenschlussel 
des Schlussels D bezeichnet, d.h. DE mod (p-1) = 1, kongruent mit den in der vierten Speicheranordnung 
gespeicherten Abfragedaten modulo p ist, d.h. R E mod p = C mod p. 
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27. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 16, bei der 

die eindeutige Sicherheitskenninformation (1 4) der Vorrichtung ein Schlussel D eines Pohlig-Hellman-Schlus- 
selpaars mit einem Modul p ist, 

ein in der siebten Speicheranordnung (422) gespeicherter Startparameter C fur Abfragedaten eine Pohlig- 
Hellman-Verschlusselung von Daten K mit dem Gegenschlussel E des Schlussels D ist, d.h. DE mod (p-1) = 
1 , C* = K E mod p, 

eine von der Zufallszahlerzeugungsanordnung (402) erzeugte Zufallszahl r in der sechsten Speicheranord- 
nung (403) gespeichert ist, 

in der vierten Speicheranordnung gespeicherte Abfragedaten C die Relation' C = r^C mod p erfullen, und 
die Verifikationsanordnung (106) die Richtigkeit der in der funften Speicheranordnung (405) gespeicherten 
Antwort R verifiziert, indem verifiziert wird, daB der Quotient R dividiert durch r modulo p kongruent mit den 
Daten K modulo p ist, d.h. K mod p = r 1 R mod p. 

28. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 26 oder 27, bei der 

in der dritten Speicheranordnung (413) gespeicherte Nachweisunterstutzungsinformation t (13) die Relation 
t = D + F(p, e) erfullt, wobei e die in der zweiten Speicheranordnung (415) gespeicherte eindeutige Benutzer- 
kennung (16) bezeichnet und F(x, y) eine kollisionsfreie Funktion mit zwei Variablen bezeichnet, und 
eine von der Antworterzeugungsanordnung (416) erzeugte Antwort identisch mit der D-ten Potenz von in der 
ersten Speicheranordnung (411) gespeicherten Abfragedaten C modulo p ist, d.h. R = C° mod p. 

29. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 28, bei der 

die Antworterzeugungsanordnung (416) des weiteren umfaGt: 

eine dritte Rechenanordnung (412) zum Berechnen der t-ten Potenz von in der ersten Speicheranordnung 
(411) gespeicherten Abfragedaten C modulo p, wobei t die in der dritten Speicheranordnung (413) gespei- 
cherte Nachweisunterstutzungsinformation (13) bezeichnet, d.h. 
C* mod p; 

eine vierte Rechenanordnung (414) zum Berechnen der F(p, e)-ten Potenz der Abfragedaten C modulo p, d. 
h. C F (P- e ) mod p, wobei e die in der zweiten Speicheranordnung (415) gespeicherte eindeutige Benutzerken- 
nung (16) bezeichnet und F(x, y) eine kollisionsfreie Funktion mit zwei Variablen bezeichnet; und 
eine funfte Rechenanordnung (416) zum Berechnen einer Antwort R durch Dividieren des von der dritten 
Rechenanordnung (412) berechneten Ergebnisses durch das von der vierten Rechenanordnung (414) be- 
rechnete Ergebnis modulo p, d.h. R = C 1 C F (P' e > mod p. 

30. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 29, ferner umfas- 
send: 

eine Schutzanordnung (160) zum Verhindern, daf3 irgendwelche Daten in ihr von auBerhalb einsehbar oder 
manipulierbar sind, welche die zweite Speicheranordnung (415) und die vierte Rechenanordnung (414) ein- 
schlieBt. 

31. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 16, bei der 

die eindeutige Sicherheitskenninformation (14) der Vorrichtung der private Schlussel X eines EIGamal-Paars 
mit offentlichem Schlussel mit einem Modul p und einem Generator G ist, 

der X entsprechende offentliche Schlussel Y die X-te Potenz von G modulo p ist, d.h. Y = G* mod p, 
u die z-te Potenz von G modulo p (u = G z mod p) fur eine Zufallszahl z bezeichnet, 

K 1 das Produkt modulo p der z-ten Potenz von Y modulo p und einem Datenwert K bezeichnet, d.h. K' = Y z K 
mod p, 

die siebte Speicheranordnung (522) das Paar aus u und K' halt, 

eine von der Zufallserzeugungsanordnung (602) erzeugte Zufallszahl r in der sechsten Speicheranordnung 
(603) gespeichert ist, 

C das Produkt modulo p von K' und r bezeichnet, d.h. C = rK' mod p, 
die vierte Speicheranordnung das Paar C und u halt, und 

die Verifikationsanordnung (106) die Richtigkeit der in der funften Speicheranordnung (505) gespeicherten 
Antwort R verifiziert, indem verifiziert wird, daB der Quotient R dividiert durch r modulo p kongruent mit K 
modulo p ist, d.h. K mod p = r 1 R mod p. 
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32. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 31, bei der 

in der dritten Speicheranordnung (513) gespeicherte Nachweisunterstutzungsinformation t (13) die Relation 
t = D + F(p, e) erfullt, wobei e die in der zweiten Speicheranordnung (515) gespeicherte eindeutige Benutzer- 
kennung (16) bezeichnet und F(x, y) eine kollisionsfreie Funktion mit zwei Variablen bezeichnet, und 
eine von der Antworterzeugungsanordnung (516) erzeugte Antwort R identisch mit dem Quotienten C dividiert 
durch die X-te Potenz von u modulo p ist, d.h. R = u _x C mod p, wobei das Paar C und u die in der ersten 
Speicheranordnung (511) gespeicherten Abfragedaten sind. 

33. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 32, bei der 

die Antworterzeugungsanordnung (516) des weiteren umfaGt: 

eine dritte Rechenanordnung (512) zum Berechnen der t-ten Potenz der Komponente u des in der ersten 
Speicheranordnung (511) gespeicherten Abfragedatenpaars modulo p, wobei t eine in der dritten Speicher- 
anordnung (513) gespeicherte Nachweisunterstutzungsinformation bezeichnet, d.h. u* mod p; 
eine vierte Rechenanordnung (514) zum Berechnen der F(p, e)-ten Potenz von u modulo p, d.h. u F (P- e ) mod 
p, wobei e die in der zweiten Speicheranordnung (515) gespeicherte eindeutige Benutzerkennung (16) be- 
zeichnet und F(x, y) eine kollisionsfreie Funktion mit zwei Variablen bezeichnet; und 
eine fiinfte Rechenanordnung (516) zum Berechnen einer Antwort R durch Dividieren des Produkts der an- 
deren Komponente C des Abfragedatenpaars mit dem von der vierten Rechenanordnung (514) berechneten 
Ergebnis durch das von der dritten Rechenanordnung (512) berechnete Ergebnis modulo p, d.h. R = Cu F <P> e ) 
u _t mod p. 

34. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 33, ferner umfas- 
send: 

eine Schutzanordnung (1 60) zum Verhindern, daB irgendwelche Daten in ihr von auBerhalb einsehbar oder 
manipulierbar sind, welche die zweite Speicheranordnung (515) und die vierte Rechenanordnung (514) ein- 
schlieBt. 

35. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 1 7, bei der 

die eindeutige Sicherheitskenninformation (14) der Vorrichtung der Signaturschlussel X eines EIGamal-Paars 
mit offentlichem Schlussel mit einem Modul p und einem Generator G ist, 

der X entsprechende offentliche Schlussel Y die X-te Potenz von G modulo p ist, d.h. Y = G* mod p, 
eine in der fiinften Speicheranordnung (605) gespeicherte Antwort ein Paar aus R und S ist, und 
die Verifikationsanordnung (606) die Richtigkeit der in der funften Speicheranordnung (605) gespeicherten 
Antwort R verifiziert, indem verifiziert wird, daB die C-te Potenz von G fur die in der vierten Speicheranordnung 
gespeicherten Abfragedaten C kongruent modulo p mit dem Produkt der R-ten Potenz von Y und der S-ten 
Potenz von R ist, d.h. G c mod p = Y R R S mod p. 

36. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 35, bei der 

in der dritten Speicheranordnung (613) gespeicherte Nachweisunterstutzungsinformation t (13) die Relation 
t = D + F(p, e) erfullt, wobei e die in der zweiten Speicheranordnung (616) gespeicherte eindeutige Benutzer- 
kennung (16) bezeichnet und F(x, y) eine kollisionsfreie Funktion mit zwei Variablen bezeichnet, und 
die Antworterzeugungsanordnung (116) ein Antwortpaar R und S durch Ausfuhren der folgenden Schritte 
erzeugt: 

Erzeugen einer Zufallszahl k; 

Berechnen von R als k-te Potenz von G modulo p, d.h. R = G k mod p; und 
Berechnen von S nach MaBgabe der Relation S = (C - RX) lc 1 mod (p-1). 

37. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 36, ferner umfas- 
send: 

eine Schutzanordnung (160) zum Verhindern, daB irgendwelche Daten in ihr von auBen einsehbar oder 
manipulierbar sind, welche die zweite Speicheranordnung (616) und die vierte Rechenanordnung (614) ein- 
schlieBt. 
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38. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 4, bei der 

die in derzweiten Speicheranordnung (715) gespeicherte- eindeutige Benutzerkennung (16) ein Entschlusse- 
lungsschlussel einer Verschlusselungsfunktion ist, 

die in der dritten Speicheranordnung (713) gespeicherte Nachweisunterstutzungsinformation (13) eine Ver- 
schlusselung der eindeutigen Sicherheitskenn information der Vorrichtung mit dem Verschlusselungsschlussel 
entsprechend dem Entschlusselungsschlussel ist, und 

die erste Rechenanordnung (712) die eindeutige Sicherheitskenninformation (14) der Vorrichtung durch Ent- 
schlusseln der in der dritten Speicheranordnung (713) gespeicherten Nachweisunterstutzungsinformation mit 
dem in der zweiten Speicheranordnung (715) gespeicherten Entschlusselungsschlussel berechnet 

39. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 38, bei der 

die Verschlusselungsfunktion aus der Kryptographie mit asymmetrischem Schlussel stammt und 

die eindeutige Benutzerkennung (16) eine Komponente des Schlusselpaars der Verschlusselungsfunktion ist. 

40. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 39, bei der 

die Verschlusselungsfunktion aus der Kryptographie mit offentlichem Schlussel stammt und 
die eindeutige Benutzerkennung (16) der private Schlussel des Paars mit offentlichem Schlussel der Ver- 
schlusselungsfunktion ist. 

41. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 38, bei der 

die Verschlusselungsfunktion aus der Kryptographie mit symmetrischem Schlussel stammt und 

die eindeutige Benutzerkennung (16) der gemeinsame geheime Schlussel der Verschlusselungsfunktion ist. 

42. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 8 oder 1 6, bei der 

die Verifikationsvorrichtung (10) des weiteren umfaBt: 

eine achte Speicheranordnung (31 0a) zum Speichern von Klardaten, deren Verschlusselung die Abfragedaten 
oder der Startparameter fur die in der ersten Speicheranordnung (111) gespeicherten Abfragedaten sind; und 
eine Vergleichsanordnung (310b) zur Oberprufung, ob die in der achten Speicheranordnung (310a) gespei- 
cherten Klardaten identisch mit Daten sind, die in die Vergleichsanordnung (310b) eingegeben werden, und 
bei der 

die Verifikationsanordnung (106) die Antwort oder den de-randomisierten Wert der in der funften Speicheran- 
ordnung (105) gespeicherten Antwort an die Vergleichsanordnung (310b) liefert, die Ruckantwort von der 
Vergleichsanordnung (310b) empfangt und dadurch die Verifikationsanordnung (106) die Richtigkeit der Ant- 
wort dann und nur dann verifiziert, wenn die empfangene Ruckantwort zeigt, daG die in der achten Speicher- 
anordnung (310a) gespeicherten Klardaten identisch mit den in die Vergleichsanordnung (310b) eingegebe- 
nen Daten sind. 

43. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 8 oder 16, bei der 

die Verifikationsvorrichtung (10) des weiteren umfaRt: 

eine neunte Speicheranordnung (31 0a) zum Speichern eines Werts, der durch Anwenden einer Einwegfunk- 
tion auf Klardaten erhalten wird, deren Verschlusselung die Abfragedaten oder der Startparameter fur in der 
siebten Speicheranordnung (122) gespeicherte Abfragedaten sind; 

eine sechste Rechenanordnung (31 0c) zum Ausgeben eines Werts, der durch Anwenden der Einwegfunktion 
auf einen eingegebenen Datenwert berechnet wird; und 

eine Vergleichsanordnung (310b) zur Oberprufung, ob der in der neunten Speicheranordnung (310a) gespei- 
cherte Wert identisch mit in die Vergleichsanordnung (31 0b) eingegebenen Daten ist, und bei der 
die Verifikationsanordnung (106) die Antwort oder den de-randomisierten Wert der Antwort an die sechste 
Rechenanordnung (310c) liefert, ein Ergebnis von dersechsten Rechenanordnung (310c) empfangt, das Er- 
gebnis an die Vergleichsanordnung (310b) liefert und eine Ruckantwort von der Vergleichsanordnung (310b) 
empfangt und die Vergleichsanordnung (1 06) dadurch die Richtigkeit der Antwort dann und nur dann verifiziert, 
wenn die empfangene Ruckantwort zeigt, daB das Ergebnis der Berechnung durch die sechste Rechenan- 
ordnung (310c) identisch mit den in der neunten Speicheranordnung (310a) gespeicherten Daten ist. 
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44. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 8 Oder 16, bei der 

die Verifikationsvorrichtung (10) des weiteren umfaBt: 

eine Programmausfuhrungsanordnung (310) zum Ausfuhren von Code eines Programms, dessen Verschlus- 
selung die in der siebten Speicheranordnung (122) gespeicherten Abfragedaten sind, und bei der 
die Verifikationsanordnung (106) die in der funften Speicheranordnung (105) gespeicherte Antwort als Pro- 
grammcode an die Programmausfuhrungsanordnung (31 0) liefert, und 

die Programmausfuhrungsanordnung (310) dann und nur dann korrekt funktioniert, wenn die Antworterzeu- 
gungsanordnung (116) die Abfragedaten korrekt entschlusselt, die eine Verschlusselung des Codes des Pro- 
gramms sind, d.h., wenn die Verschlusselung des Programms korrekt entschlusselt wird. 

45. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 8 Oder 16, bei der 

die Verifikationsvorrichtung (10) des weiteren umfaBt: 

eine Programmausfuhrungsanordnung (310); 

eine Programmspeicheranordnung (31 Og); und 

eine Programmentschlusselungsanordnung (31 Oh), und bei der 

die Programmspeicheranordnung (31 Og) Code eines Programms speichert, das teilweise Oder vollstandig 
verschlusselt ist, 

eine Verschlusselung des Entschlusselungsschlussels fur den teilweise oder vollstandig verschlusselten Pro- 
grammcode die in der siebten Speicheranordnung (122) gespeicherten Abfragedaten sind, 
die Verifikationsanordnung (106) die Antwort an die Programmentschlusselungsanordnung (31 Oh) liefert, 
die Programmentschlusselungsanordnung (31 Oh) das in der Programmspeicheranordnung (31 Og) gespei- 
cherte Programm mit der Antwort als Entschtusselungsschlussel entschlusselt, und 
die Programmausfuhrungsanordnung (31 0) das entschlusselte Programm dann und nur dann korrekt ausfuhrt, 
wenn die Antworterzeugungsanordnung (116) die Abfragedaten korrekt entschlusselt, d.h., der Entschlusse- 
lungsschlussel zum Entschlusseln der Verschlusselung des Programms korrekt entschlusselt ist. 

46. Vorrichtung zum Authentifizieren von Benutzerzugangsrechten zu Ressourcen nach Anspruch 14, bei der 

die Nachweisvorrichtung (11) und die Verifikationsvorrichtung (10) in einer gehauseartigen Anordnung instal- 
liert sind und 

die Verifikationsvorrichtung (10) die in der vierten Speicheranordnung gespeicherten Abfragedaten (18) an 
die erste Speicheranordnung (1 1 1 ) der Nachweisvorrichtung (11) ubertragt und die Nachweisvorrichtung (11) 
die von der Antworterzeugungsanordnung (116) erzeugte Antwort (1 9) an die funfte Speicheranordnung (1 05) 
der Verifikationsvorrichtung (1 0) ohne Verwendung eines Kommunikationsnetzes auBerhalb der gehausear- 
tigen Anordnung ubertragt. 

47. Verfahren zum Authentifizieren von Benutzerzugriffsrechten auf Ressourcen durch Verifizieren der Richtigkeit ei- 
ner aus Abfragedaten erzeugten Antwort zum Nachweis der Benutzerzugriffsrechte, umfassend: 

einen Schritt zum Speichern der Abfragedaten; 

einen Schritt zum Speichern einer eindeutigen Benutzerkennung; 

einen Schritt zum Speichern von Nachweisunterstutzungsinformation, die ein Ergebnis vorbestimmter Berech- 
nungen an der eindeutigen Benutzerkennung und eindeutiger Sicherheitskenninformation ist; 
einen Schritt zum Erzeugen einer Antwort durch Ausfuhren vorbestimmter Berechnungen an den Abfrageda- 
ten, der eindeutigen Benutzerkennung und der Nachweisunterstutzungsinformation; und 
einen Schritt zum Verifizieren der Richtigkeit der Antwort durch Verifizieren, daB die Antwort, die Abfragedaten 
und die eindeutige Sicherheitskenninformation eine spezielle vordefinierte Relation erfullen. 

48. Computerprogrammprodukt zur Verwendung bei einem Computer, wobei das Computerprogrammprodukt umfaBt: 

ein von einem Computer verwendbares Medium, auf dem computerlesbare Programmcodemittel vorhanden 
sind, die dazudienen, den Computer zu veranlassen, eine Antwort (19) aus Abfragedaten (18) zu erzeugen, deren 
Richtigkeit fur die Authentifzierung von Benutzerzugriffsrechten zu verifizieren ist, wobei das Computerprogramm- 
produkt aufweist: 

computerlesbare Programmcodemittel, die dazudienen, den Computer zu veranlassen, die Abfragedaten (18) 
zu speichern; 
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computerlesbare Programmcodemittel, die dazu dienen, den Computer zu verantassen, eine eindeutige Be- 
nutzerkennung (16) zu speichern; 

computerlesbare Programmcodemittel, die dazu dienen, den Computer zu veranlassen, Nachweisunterstut- 
zungsinformation (13) zu speichern, die ein Ergebnis vorbestimmter Berechnungen an der eindeutigen Be- 
nutzerkennung (16) und eindeutiger Sicherheitskenninformation (14) ist; und 

computerlesbare Programmcodemittel, die dazu dienen, den Computer zu veranlassen, durch Ausfuhren vor- 
bestimmter Berechnungen an den Abfragedaten (18), der eindeutigen Benutzerkennung (16) und der Nach- 
weisunterstutzungsinformation (13) eine Antwort (19) zu erzeugen. 

49. Computerprogrammprodukt nach Anspruch 48, umfassend: 

computerlesbare Programmcodemittel, die dazu dienen, den Computer zu veranlassen, die Richtigkeit der 
Antwort (1 9) zu verifizieren, indem verifiziert wird, da(3 die Antwort (1 9), die Abfragedaten (18) und die eindeutige 
Sicherheitskenninformation (14) eine spezielle vordefinierte Relation erfullen. 

50. Programmausfuhrungssteuervorrichtung zum Authentifizieren von Ben utzerzug riffs rechten auf Ressourcen durch 
Verifizieren der Richtigkeit einer aus Abfragedaten erzeugten Antwort zum Nachweis der Ben utzerzug riff srechte 
und zum Steuern der Ausfuhrung eines Programms auf der Basis der Authentif izierung der Benutzerzugriffsrechte, 
umfassend eine Vorrichtung gemaR einem der Anspruche 1 bis 46 und 

eine Fortfuhrungsanordnung zum Fortfuhren der Ausfuhrung des Programms, wenn die Richtigkeit der Ant- 
wort verifiziert ist. 

51. Informationsverarbeitungsgerat zum Authentifizieren von Benutzerzugriffsrechten auf spezielle Informationsver- 
arbeitungsressourcen durch Verifizieren der Richtigkeit einer Antwort (19), die erzeugt wird, urn die Benutzerzu- 
griffsrechte nachzuweisen und den Zugriff auf die speziellen Informationsverarbeitungsressourcen zu gewahren, 
umfassend eine Vorrichtung gemaB einem der Anspruche 1 bis 46 und 

eine Gewahrungsanordnung zum Gewahren des Zugriffs auf die speziellen Informationsverarbeitungsres- 
sourcen, wenn die Richtigkeit der Antwort verifiziert ist. 



Revendications 

1 . Dispositif pour authentif ier des droits d'acces d'un utilisateur a des ressources comprenant : 

un premier moyen de memoire (111) pour enregistrer des donnees a verifier (18); 

un deuxieme moyen de memoire (115) pour enregistrer une information individuelle d'identification de I'utili- 
sateur(16); 

un troisieme moyen de memoire (113) pour enregistrer une information d'assistance de controle (13) qui est 
un resultatde I'execution de calculs predetermines sur ('information individuelle d'identification de I'utilisateur 
(1 6) et une information de caracteristique de securite individuelle (14) du dispositif; 

un moyen de generation de reponse (116) pour generer une reponse (19) a partir des donnees a verifier (18) 
enregistrees dans le premier moyen de memoire (111 ), ('information d'identification individuelle de i'utilisateur 
(16) enregistree dans le deuxieme moyen de memoire (115), et ('information d'assistance de controle (13) 
enregistree dans le troisieme moyen de memoire (113); et 

. un moyen de verification (106) pour verifier ia legitimite de la reponse (19) en verifiant que la reponse (19), 
les donnees a verifier (1 8) et I'information de caracteristique de securite individuelle (1 4) du dispositif satisfont 
une relation predefinie specifique. 

2. Dispositif pour authentifier des droits d'acces d'un utilisateur a des ressources selon la revendication 1 comprenant 
de plus : 

un moyen de protection (160) pour empecher que toute donnee interieure soit observee ou trafiquee de 
I'exterieur, au moins en confinant le deuxieme moyen de memoire (115) et ie moyen de generation de reponse 
(116). 

3. Dispositif pour authentifier des droits d'acces d'un utilisateur a des ressources selon la revendication 1 , dans lequel 
au moins le deuxieme moyen de memoire (115) et le moyen de generation de reponse (116) sont mis en oeuvre 
dans un petit dispositif portatif tel qu'une carte intelligente. 

4. Dispositif pour authentifier des droits d'acces d'un utilisateur a des ressources selon I'une quelconque des reven- 
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dications 1 a 3, dans lequel 

le moyen de generation de reponse (116) comprend : 

un premier moyen de calcul (712) pour executer a nouveau ('information de caracteristique de securite indt- 
viduelle (14) du dispositif en effectuant des calculs predetermines sur reformation individuelle d'identification 
de I'utilisateur (16) enregistree dans le deuxieme moyen de memoire (115) et ['information d'assistance de 
controle (13) enregistree dans le troisieme moyen de memoire (113); et 

un deuxieme moyen de calcul (714) pour generer une reponse en effectuant des calculs predetermines sur 
les donnees a verifier (18) enregistrees dans le premier moyen de memoire (111) et I'information de caracte- 
ristique de securite individuelle (14) du dispositif executee a nouveau par le premier moyen de calcul (712). 

5. Dispositif pour authentifier des droits d'acces d'un utilisateur a des ressources selon Tune quelconque des reven- 
dications 1 a 3, dans lequel 

le moyen de generation de reponse (116) comprend : 

un troisieme moyen de calcul (112) pour generer une premiere information intermediate en effectuant des 
calculs predetermines sur les donnees a verifier enregistrees dans le premier moyen de memoire et I'infor- 
mation d'assistance de controle enregistree dans le troisieme moyen de memoire; 

un quatrieme moyen de calcul (114) pour generer une deuxieme information intermedtaire en effectuant des 
calculs predetermines sur les donnees a verifier (18) enregistrees dans le premier moyen de memoire (111 ) 
et I'information d'identification individuelle de I'utilisateur (1 6) enregistree dans le deuxieme moyen de memoire 
(115); et 

un cinquieme moyen de calcul (116) pour generer une reponse en effectuant des calculs predetermines sur 
la premiere information intermediate generee par le troisieme moyen de calcul (112) et la deuxieme informa- 
tion intermediate generee par le quatrieme moyen de calcul (114). 

6. Dispositif pour authentifier des droits d'acces d'un utilisateur a des ressources selon la revendication 5, comprenant 
de plus : 

un moyen de protection (1 60) pour empecher toute donnee interieur d'etre observee ou trafiquee de I'exte- 
rieur, au moins en confinant le deuxieme moyen de memoire (115) et le quatrieme moyen de calcul (114). 

7. Dispositif pour authentifier des droits d'acces d'un utilisateur a des ressources selon la revendication 5, dans lequel 

au moins le deuxieme moyen de memoire (115) et le quatrieme moyen de calcul (114) sont mis en oeuvre 
dans un dispositif portatif tel qu'une carte intelligente. 

8. Dispositif pour authentifier des droits d'acces d'un utilisateur a des ressources selon I'une quelconque des reven- 
dications 1 a 7, dans lequel 

I'information de caracteristique de securite individuelle (14) du dispositif est une cle de dechiffrement d'une 
fonction de chiffrement, 

les donnees a verifier (1 8) sont un chiffrement d'information utilisant la fonction de chiffrement avec la cle de 
chiffrement correspondant a la cle de dechiffrement, et 

le moyen de verification (106) verifie la legitimite de la reponse en verifiant que la reponse (19) generee par 
le moyen de generation de reponse (116) est identique au dechiffrement des donnees a verifier avec la cle 
de dechiffrement. 

9. Dispositif pour authentifier des droits d'acces d'un utilisateur a des ressources selon I'une quelconque des reven- 
dications 1 a 7, dans lequel 

I'information de caracteristique de securite individuelle (1 4) du dispositif est une cle de chiffrement d'une fonc- 
tion de chiffrement, et 

le moyen de verification (106) verifie la legitimite de la reponse en verifiant que la reponse (19) generee par 
le moyen de generation de reponse (116) est identique au chiffrement des donnees a verifier avec la cle de 
chiffrement. 

10. Dispositif pour authentifier des droits d'acces d'un utilisateur a des ressources selon I'une quelconque des reven- 
dications 1 a 7, dans lequel 
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I'information caracteristique (1 4) du dispositif est la cle de signature d'une fonction de signature numerique, et 
le moyen de verification (106) verifie la legitimite de la reponse en verifiant que la reponse (19) generee par 
le moyen de generation de reponse (116) est identique a fa signature numerique destinee aux donnees a 
verifier qui est calculee avec la cle de signature. 

11. Dispositif pour authentifier des droits d'acces d'un utilisateur a des ressources selon la revendication 8 ou 9, dans 
lequel 

la fonction de chiffrement est du type de chiffrement a cle asymetrique, et 

I'information de caracteristique de securite individuelle (14) du dispositif est une composante de la paire de 
cles de la fonction de chiffrement. 

12. Dispositif pour authentifier des droits d'acces d'un utilisateur a des ressources selon la revendication 11, dans 
lequel 

la fonction de chiffrement est du type de chiffrement a cle publique, et 

I'information de caracteristique de securite individuelle (14) du dispositif est la cle privee de (a paire de cles 
publiques de la fonction de chiffrement. 

13. Dispositif pour authentifier des droits d'acces d'un utilisateur a des ressources selon la revendication 8 ou 9, dans 
lequel 

la fonction de chiffrement est du type de chiffrement a cle symetrique, et 

I'information de caracteristique de securite individuelle (14) du dispositif est la cle commune de la fonction de 
chiffrement. 

14. Dispositif pour authentifier des droits d'acces d'un utilisateur a des ressources selon Tune quelconque des reven- 
dications 1 a 13, comprenant de plus : 

un dispositif de confirmation (11) comprenant le premier moyen de memoire (111), le deuxieme moyen de 
memoire (115), le troisieme moyen de memoire (113) et le moyen de generation de reponse (116); et 
un dispositif de verification (10) comprenant un quatrieme moyen de memoire pour enregistrer les donnees 
a verifier (18), un cinquieme moyen de memoire (105) pour enregistrer la reponse (19) et un moyen de veri- 
fication (106), dans lequel 

le dispositif de verification (1 0) transfere les donnees a verifier (1 8) enregistrees dans le quatrieme moyen de 
memoire au premier moyen de memoire (111) du dispositif de confirmation (11), le dispositif de confirmation 
(11) transfere la reponse (19) generee par le moyen de generation de reponse (116) au cinquieme moyen de 
memoire (105) du dispositif de verification (10), et le moyen de verification (106) du dispositif de verification 
(10) verifie la legitimite de la reponse enregistree dans le cinquieme moyen de memoire (1 05). 

15. Dispositif pour authentifier des droits d'acces d'un utilisateur a des ressources selon la revendication 14, dans 
lequel 

I'information de caracteristique de securite individuelle (1 4) du dispositif est une cle de chiffrement d'une fonc- 
tion de chiffrement, 

le dispositif de verification (10) comprend un moyen de generation de nombre aleatoire (102) pour generer 
un nombre aleatoire et I'enregistrer dans le quatrieme moyen de memoire, et 

le moyen de verification (106) verifie la legitimite de la reponse en verifiant que la reponse enregistree dans 
le cinquieme moyen de memoire (1 05) est identique au chiffrement des donnees a verifier enregistrees dans 
le quatrieme moyen de memoire (1 03) avec la cle de chiffrement. 

16. Dispositif pour authentifier des droits d'acces d'un utilisateur a des ressources selon la revendication 14, dans 
lequel 

['information de caracteristique de securite individuelle (14) du dispositif est une cle de dechiffrement d'une 
fonction de chiffrement, 

le dispositif de verification (10) comprend un moyen de generation de nombre aleatoire (102) pour generer 
un nombre aleatoire, un sixieme moyen de memoire (103) pour enregistrer le nombre aleatoire genere et un 
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septieme moyen de memoire (1 22) pour enregistrer une valeur de depart pour des donnees a verifier, et dans 
lequel 

le moyen de generation de nombre aleatoire (102) enregistre le nombre aleatoire genere dans le sixieme 
moyen de memoire (103) en randomisant la valeur de depart pour les donnees a verifier enregistree dans ie 
septieme moyen de memoire (122) en effectuant des calculs predefinis sur le nombre aleatoire enregistre 
dans le sixieme moyen de memoire (103) et la valeur de depart enregistree dans le septieme moyen de 
memoire (1 22) et en enregistrant ensuite la valeur de depart randomisee comme donnees a verifier dans le 
quatrieme moyen de memoire, et 

le moyen de verification (106) du dispositif de verification (10) de-randomise la reponse enregistree dans le 
cinquieme moyen de memoire (105) en effectuant des calculs predefinis sur le nombre aleatoire enregistre 
dans le sixieme moyen de memoire (103) et la reponse enregistree dans le cinquieme moyen de memoire 
(105), et verifie ensuite la legitimite de la reponse de-randomisee en verifiant que le resuttat de-randomise 
est identique au dechiffrement de la valeur de depart enregistree dans le septieme moyen de memoire (122) 
avec la cle de dechiffrement qui est ['information de caracteristique de securite individuefle (14) du dispositif. 

17. Dispositif pour authentifier des droits d'acces d'un utilisateur a des ressources selon la revendication 14, dans 
lequel 

Information de caracteristique de securite individuelle (14) du dispositif est la cle de signature d'une fonction 
de signature numerique, et 

le dispositif de verification (10) comprend un moyen de generation de nombre aleatoire (102) pour generer 
un nombre aleatoire et enregistrer le nombre aleatoire genere comme donnees a verifier dans te quatrieme 
moyen de memoire, et dans lequel 

le moyen de verification (106) du dispositif de verification (10) verifie la legitimite de la reponse en verifiant 
que la reponse enregistree dans le cinquieme moyen de memoire (1 05) est identique a la signature numerique 
pour les donnees a verifier enregistrees dans le quatrieme moyen de memoire, qui est calculee avec la cle 
de signature qui est ('information de caracteristique de securite individuelle (14) du dispositif. 

18. Dispositif pour authentifier des droits d'acces d'un utilisateur a des ressources selon la revendication 15, dans 
lequel 

I'information de caracteristique de securite individuelle (14) du dispositif est la cle privee D d'une paire de cles 
publiques RSA avec un modulo n, et 

le moyen de verification (106) verifie la legitimite de la reponse en verifiant que la puissance E-ieme de la 
reponse R enregistree dans le cinquieme moyen de memoire (105), ou E designe la cle publique associee a 
la cle privee D, est congrue aux donnees a verifier C enregistrees dans le quatrieme moyen de memoire 
modulo n, c.-a-d. R E modulo n = C modulo n. 

19. Dispositif pour authentifier des droits d'acces d'un utilisateur a des ressources selon la revendication 16, dans 
lequel 

I'information de caracteristique de securite individuelle (14) du dispositif est la cle privee D d'une paire de cles 
publiques RSA avec un modulo n, 

une valeur de depart C pour des donnees a verifier enregistrees dans le septieme moyen de memoire (122) 
est un chiffrement RSA de donnees K avec la cle publique E de la paire de cles publiques RSA, c.-a-d. DE 
modulo O(n) = 1 , C = K E modulo n ( 

un nombre aleatoire r genere par le moyen de generation de nombre aleatoire (1 02) est enregistre dans le 
sixieme moyen de memoire (103), 

des donnees a verifier C generees et enregistrees dans le quatrieme moyen de memoire satisfont la relation 
C = r E C modulo n, et 

le moyen de verification (106) verifie la legitimite de la reponse R enregistree dans le cinquieme moyen de 
memoire (105) en verifiant que le quotient de R divise par r modulo n est congru aux donnees K modulo n, 
c.-a-d. K modulo n = r 1 R modulo n. 

20. Dispositif pour authentifier des droits d'acces d'un utilisateur a des ressources selon la revendication 18 ou 19, 
dans lequel 

une information d'assistance de controle t (1 3) enregistree dans le troisieme moyen de memoire (113) satisfait 
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la relation t = D - e + w O(n), ou e designe une information individuelle d'identification de I'utilisateur (16) 
enregistree dans le deuxieme moyen de memoire (115), w designe un nombre aleatoire compatible determine 
en fonction a la fois de n et de e et <D(n) designe le nombre d'Euler de n, et 

la reponse generee par les moyen de generation de reponse (116) est identique a la puissance D-ieme de 
5 donnees a verifier C enregistrees dans le premier moyen de memoire (111) modulo n, c.-a-d. R = C D modulo n. 

21. Dispositif pour authentifier des droits d'acces d'un utilisateur a des ressources selon la revendication 20, dans 
lequel 

le moyen de generation de reponse (116) comprend de plus : 

10 

un troisieme moyen de calcul (112) pour calculer la puissance t-ieme de donnees a verifier C enregistrees 
dans le premier moyen de memoire (111) modulo n, c.-a-d. C l modulo n, ou t designe information d'assistance 
de controle (13) enregistree dans le troisieme moyen de memoire (113); 

un quatrieme moyen de calcul (114) pour calculer la puissance e-ieme des donnees a verifier C modulo n, c- 
15 a-d. C e modulo n, ou e designe I'information individuelle d'identification de I'utilisateur (16) enregistree dans 

le deuxieme moyen de memoire (115); et 

un cinquieme moyen de calcul (116) pour calculer une reponse R en multipliant le resultat calcule par le 
troisieme moyen de calcul (112) par le resultat calcule par le quatrieme moyen de calcul (114) modulo n, c.- 
a-d. R = C x C e modulo n. 

20 

22. Dispositif pour authentifier des droits d'acces d'un utilisateur a des ressources selon la revendication 21 , compre- 
nant de plus : 

un moyen de protection (160) pour empecher toute donnee interieure d'etre observee ou trafiquee de I'ex- 
terieur, en confinant le deuxieme moyen de memoire (115) et le quatrieme moyen de calcul (114). 

25 

23. Dispositif pour authentifier des droits d'acces d'un utilisateur a des ressources selon la revendication 18 ou 19, 
dans lequel 

une information d'assistance de controle t (1 3) enregistree dans le troisieme moyen de memoire (113) satisfait 
la relation t = D + F(h, e), ou e designe une information individuelle d'identification de I'utilisateur (16) enre- 
gistree dans le deuxieme moyen de memoire (115), et F(x, y) designe une fonction de deux variables sans 
collision, et 

une reponse generee par le moyen de generation de reponse (116) est identique a la puissance D-ieme de 
donnees a verifier C enregistrees dans le premier moyen de memoire (111) modulo n, c.-a-d. R = C D modulo n. 

24. Dispositif pour authentifier des droits d'acces d'un utilisateur a des ressources selon la revendication 23, dans 
lequel 

le moyen de generation de reponse (116) comprend de plus : 

un troisieme moyen de calcul (112) pour calculer la puissance t-ieme de donnees a verifier C enregistrees 
dans le premier moyen de memoire (111) modulo n, ou t designe ('information d'assistance de controle (13) 
enregistree dans le troisieme moyen de memoire (113), c.-a-d. C x modulo n; 

un quatrieme moyen de calcul (114) pour calculer la puissance F(n, e)-ieme des donnees a verifier modulo 
n, c.-a-d. C p ( n ' e > modulo n, ou e designe I'information individuelle d'identification de I'utilisateur (1 6) enregistree 
dans le deuxieme moyen de memoire (1 1 5) et F(x, y) designe une fonction de deux variables sans collision; et 
un cinquieme moyen de calcul (116) pour calculer une reponse R en divisant le resultat calcule par le troisieme 
moyen de calcul (112) par le resultat calcule par le quatrieme moyen de calcul (114) modulo n, c.-a-d. R = 
OC- F ("> e ) modulo n. 

so 25. Dispositif pour authentifier des droits d'acces d'un utilisateur a des ressources selon la revendication 24, compre- 
nant de plus : 

un moyen de protection (160) pour empecher toute donnee interieure d'etre observee ou trafiquee de I'ex- 
terieur, en confinant le deuxieme moyen de memoire (115) et le quatrieme moyen de calcul (114). 

55 26. Dispositif pour authentifier des droits d'acces d'un utilisateur a des ressources selon la revendication 15, dans 
lequel 

information de caracteristique de securite individuelle (14) du dispositif est une cle D d'une paire de cles de 
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Pohlig-Hellman d'un modulo p, et 

le moyen de verification (106) verifie la legitimite de la reponse en verifiant que la puissance E-ieme de la 
reponse R enregistree dans le cinquieme moyen de memoire (105), ou E designe la cle image de la cle D, c.- 
a-d. DE modulo (p-1) = 1, est congrue aux donnees a verifier C enregistrees dans le quatrieme moyen de 
memoire modulo p, c.-a-d. R E modulo p = C modulo p. 

27. Dispositif pour authentifier des droits d'acces d'un utilisateur a des ressources selon la revendication 1 6, dans 
lequel 

reformation de caracteristique de securite individuelle (14) du dispositif est une cle D d'une paire de cles de 
Pohlig-Hellman d'un modulo p, 

une valeur de depart C pour des donnees a verifier enregistrees dans le septieme moyen de memoire (422) 
est un chiffrement de Pohlig-Hellman des donnees K avec la cle image E de la cle D, c.-a-d. DE modulo (p- 
1)= 1,C' = K E modulo p, 

un nombre aleatoire r genere par le moyen de generation de nombre aleatoire (402) est enregistre dans le 
sixieme moyen de memoire (403), 

des donnees a verifier C enregistrees dans le quatrieme moyen de memoire satisfont la relation C = r^C 
modulo p, et 

le moyen de verification (106) verifie la legitimite de la reponse R enregistree dans le cinquieme moyen de 
memoire (405) en verifiant que le quotient de R divise par r modulo p est congru aux donnees K modulo p, 
c.-a-d. K modulo p = r*R modulo p. 

28. Dispositif pour authentifier des droits d'acces d'un utilisateur a des ressources selon la revendication 26 ou 27, 
dans lequel 

I'information d'assistance de controle t (13) enregistree dans le troisieme moyen de memoire (413) satisfait 
la relation t = D + F(p f e), ou e designe reformation individuelle d'identification de I'utilisateur (16) enregistree 
dans le deuxieme moyen de memoire (41 5), et F(x, y) designe une fonction de deux variables sans collision, et 
une reponse generee par le moyen de generation de reponse (416) est identique a la puissance D-ieme de 
donnees a verifier C enregistrees dans le premier moyen de memoire (411) modulo p, c.-a-d. R = C D modulo p. 

29. Dispositif pour authentifier des droits d'acces d'un utilisateur a des ressources selon la revendication 28, dans 
lequel 

le moyen de generation de reponse (41 6) comprend de plus : 

un troisieme moyen de calcul (412) pour calculer la puissance t-ieme de donnees a verifier C enregistrees 
dans le premier moyen de memoire (411) modulo p, ou t designe I'information d'assistance de controle (13) 
enregistree dans le troisieme moyen de memoire (413), c.-a-d. D modulo p; 

un quatrieme moyen de calcul (414) pour calculer la puissance F(p, e)-ieme des donnees a verifier C modulo 
p, c.-a-d. C F (P' e > modulo p, ou e designe I'information individuelle d'identification de I'utilisateur (1 6) enregistree 
dans le deuxieme moyen de memoire (415) et F(x, y) designe une fonction de deux variables sans collision; et 
un cinquieme moyen de calcul (41 6) pour calculer une reponse R en divisant le resultat calcule par le troisieme 
moyen de calcul (412) par le resultat calcule par le quatrieme moyen de calcul (414) modulo p, c.-a-d. R = 
DC-FtP' e > modulo p. 

30. Dispositif pour authentifier des droits d'acces d'un utilisateur a des ressources selon la revendication 29, compre- 
nant de plus : 

un moyen de protection (160) pour empecher toute donnee interieure d'etre observee ou trafiquee de I'ex- 
terieur, en confinant le deuxieme moyen de memoire (415) et le quatrieme moyen de calcul (414). 

31. Dispositif pour authentifier des droits d'acces d'un utilisateur a des ressources selon la revendication 16, dans 
lequel 

('information de caracteristique de securite individuelle (14) du dispositif est la cle privee X d'une paire de cles 
publiques d'EIGamal avec un modulo p et un generateur G, 

la cle publique Y correspondant a X est la puissance X-ieme de G modulo p, c.-a-d. Y = G x modulo p, 

u designe la puissance z-ieme de G modulo p (u = G 2 modulo p) pour un nombre aleatoire z, 

K' designe le produit modulo p de la puissance z-ieme de Y modulo p et d'une donnee K, c.-a-d. K' = Y Z K 
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10 



modulo p, 

le septieme moyen de memoire (522) contient la paire formee de u et de K\ 

un nombre aleatoire r genere par le moyen de generation de nombre aleatoire (602) est enregistre dans le 
sixieme moyen de memoire (603), 

C designe le produit modulo p de K' et r, c.-a-d. C = rK' modulo p, 
le quatrieme moyen de memoire contient la paire formee de C et de u, et 

le moyen de verification (106) verifie la legitimite de la reponse R enregistree dans le cinquieme moyen de 
memoire (505) en verifiant que le quotient de R divise par r modulo p est congru a K modulo p, c.-a-d. K 
modulo p = r 1 R modulo p. 

32. Dispositif pour authentifier des droits d'acces d'un utilisateur a des ressources selon la revendication 31 , dans 
lequel 

I'information d'assistance de controle t (13) enregistree dans le troisieme moyen de memoire (513) satisfait 
15 la relation t = D + F(p, e), ou e designe ('information individuelle d'identification de I'utilisateur (1 6) enregistree 

dans le deuxieme moyen de memoire (515) et F(x, y) designe une fonction de deux variables sans collision, et 
une reponse R generee par le moyen de generation de reponse (516) est identique au quotient de la division 
de C par la puissance X-ieme de u modulo p, c.-a-d. R = u _x C modulo p, ou la paire formee de C et de u est 
constitute par les donnees a verifier enregistrees dans le premier moyen de memoire (511). 

20 

33. Dispositif pour authentifier des droits d'acces d'un utilisateur a des ressources selon la revendication 32, dans 
lequel 

le moyen de generation de reponse (51 6) comprend de plus : 

25 un troisieme moyen de calcul (512) pour calculer la puissance t-ieme de la composante u de la paire de 

donnees a verifier enregistrees dans le premier moyen de memoire (511) modulo p, ou t designe I'information 
d'assistance de controle enregistree dans le troisieme moyen de memoire (513), c.-a-d. u* modulo p; 
un quatrieme moyen de calcul (514) pour calculer la puissance (F(p, e)-ieme de u modulo p, c.-a-d. u F tP* e > 
modulo p, ou e designe I'information individuelle d'identification de I'utilisateur (16) enregistree le deuxieme 

30 moyen de memoire (515) et F(x, y) designe une fonction de deux variables sans collision; et 

un cinquieme moyen de calcul (51 6) pour calculer une reponse R en divisant le produit de I'autre composante 
C de la paire de donnees a verifier et du resultat calcule par le quatrieme moyen de calcul (514) par le resultat 
calcule par le troisieme moyen de calcul (512) modulo p, c.-a-d. R = Cu F <P- e )u* t modulo p. 

35 34. Dispositif pour authentifier des droits d'acces d'un utilisateur a des ressources selon la revendication 33, compre- 
nant de plus : 

un moyen de protection (160) pour empecher toute donnee interieure d'etre observee ou trafiquee de I'ex- 
terieur, en confinant le deuxieme moyen de memoire (515) et le quatrieme moyen de calcul (514). 

40 35. Dispositif pour authentifier des droits d'acces d'un utilisateur a des ressources selon la revendication 17, dans 
lequel 

I'information de caracteristique de securite individuelle (14) du dispositif est la cle de signature X d'une paire 
de cles publiques d'EIGamal avec un modulo p et un generateur G, 

45 la cle publique Y correspondant a X est la puissance X-ieme de G modulo p, c.-a-d. Y = G* modulo p, 

une reponse enregistree dans le cinquieme moyen de memoire (605) est une paire formee de R et de S, et 
le moyen de verification (606) verifie la legitimite de la reponse R enregistree dans le cinquieme moyen de 
memoire (605) en verifiant que la puissance C-ieme de G pour les donnees a verifier C enregistrees dans le 
quatrieme moyen de memoire est congrue modulo p au produit de la puissance R-ieme de Y et de la puissance 

50 S-ieme de R, c.-a-d. G c modulo p = Y R R S modulo p. 

36. Dispositif pour authentifier des droits d'acces d'un utilisateur a des ressources selon la revendication 35, dans 
lequel 

55 I'information d'assistance de controle t (13) enregistree dans le troisieme moyen de memoire (613) satisfait 

la relation t = D + F(p, e), ou e designe I'information individuelle d'identification de I'utilisateur (16) enregistree 
dans le deuxieme moyen de memoire (61 6), et F(x, y) designe une fonction de deux variables sans collision, et 
le moyen de generation de reponse (116) genere une paire de reponses R et S en effectuant les operations 
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suivantes consistant a : 

generer tin nombre aleatoire k; 

calculer R comme la puissance k-ieme de G modulo p, c.-a-d. R = G k modulo p; et 
calculer S selon la relation S = (C - RX) fc 1 modulo (p-1 ). 

37. Dispositif pour authentifier des droits d'acces d'un utilisateur a des ressources selon la revendication 36, compre- 
nant de plus : 

un moyen de protection (160) pour empecher toute donnee interieure d'etre observee ou trafiquee de I'ex- 
terieur, en confihant le deuxieme moyen de memoire (616) et le quatrieme moyen de calcul (614). 

38. Dispositif pour authentifier des droits d'acces d'un utilisateur a des ressources selon la revendication 4, dans lequel 

('information individuelle d'identification de I'utilisateur (16) enregistree dans le deuxieme moyen de memoire 
(715) est une cle de dechiffrement d'une fonction de chiffrement, 

reformation d'assistance de controle (13) enregistree dans le troisieme moyen de memoire (713) est un chif- 
frement de I'information de caracteristique de securite individuelle du dispositif avec la cle de chiffrement 
correspondant a la cle de dechiffrement, et 

le premier moyen de calcul (712) calcule ('information de caracteristique de securite individuelle (14) du dis- 
positif en dechiffrant I'information d'assistance de controle enregistree dans le troisieme moyen de memoire 
(713) avec la cle de dechiffrement enregistree dans le deuxieme moyen de memoire (715). 

39. Dispositif pour authentifier des droits d'acces d'un utilisateur a des ressources selon la revendication 38, dans 
lequel 

la fonction de chiffrement est du type de chiffrement a cle asymetrique, et 

I'information individuelle d'identification de I'utilisateur (16) est une composante de la paire de cles de la fonc- 
tion de chiffrement. 

40. Dispositif pour authentifier des droits d'acces d'un utilisateur a des ressources selon la revendication 39, dans 
lequel 

la fonction de chiffrement est du type de chiffrement a cle publique, et 

I'information individuelle d'identification de I'utilisateur (16) est la cle privee de la paire de cles publiques de 
la fonction de chiffrement. 

41. Dispositif pour authentifier des droits d'acces d'un utilisateur a des ressources selon la revendication 38, dans 
lequel 

la fonction de chiffrement est du type de chiffrement a cle symetrique, et 

I'information individuelle d'identification de I'utilisateur (16) est la cle secrete commune de la fonction de chif- 
frement. 

42. Dispositif pour authentifier des droits d'acces d'un utilisateur a des ressources selon la revendication 8 ou 1 6, dans 
lequel 

le dispositif de verification (10) comprend de plus : 

un huitieme moyen de memoire (310a) pour enregistrer un chiffrement de donnee en clair dont sont les don- 
nees a verifier ou la valeur de depart pour des donnees a verifier enregistrees dans le premier moyen de 
memoire (111); et , 

un moyen de comparaison (31 0b) pour examiner si les donnees en clair enregistrees dans le huitieme moyens 
de memoire (310a) sont identiques aux donnees introduites dans le moyen de comparaison (310b), et dans 
lequel 

le moyen de verification (1 06) transmet la reponse ou la valeur de-randomisee de la reponse enregistree dans 
le cinquieme moyen de memoire (105) au moyen de comparaison (310b), regoit la reponse du moyen de 
comparaison (310b), et le moyen de verification (106) verifie ainsi la legitimite de la reponse si et seulement 
si la reponse regue montre que les donnees en clair enregistrees dans le huitieme moyen de memoire (31 0a) 
sont identiques aux donnees introduites dans le moyen de comparaison (310b). 
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43. Dispositif pour authentifier des droits d'acces d'un.utilisateur a des ressources selon la revendication 8 ou 1 6, dans 
lequel 

le dispositif de verification (10) comprend de plus : 

un neuvieme moyen de memoire (310a) pour enregistrer une valeur obtenue en appliquant une fonction uni- 
directionnelle au chiffrement des donnees en clair dont sont les donnees a verifier ou la valeur de depart pour 
des donnees a verifier enregistrees dans te septieme moyen de memoire (122); 

un sixieme moyen de calcul (310c) pour emettre une valeur calculee en s'appliquant la fonction unidirection- 
nelle a des donnees introduites; et 

un moyen de comparaison (31 Ob) pour examiner si la valeur enregistree dans le neuvieme moyen de memoire 
(310a) est identique aux donnees introduites dans le moyen de comparaison (310b), et dans lequel 
le moyen de verification (1 06) transmet la reponse ou la valeur de-random isee de la reponse au sixieme moyen 
de calcul (310c), regoit un resultat du sixieme moyen de calcul (310c), transmet le resultat au moyen de 
comparaison (31 0b) et regoit une reponse du moyen de comparaison (31 0b), et le moyen de verification (1 06) 
verifie ainsi la legitimite de la reponse si et seulement si la reponse regue montre que le resultat du calcul 
effectue par le sixieme moyen de calcul (310c) est identique aux donnees enregistrees dans le neuvieme 
moyen de memoire (310a). 

44. Dispositif pour authentifier des droits d'acces d'un utilisateur a des ressources selon la revendication 8 ou 1 6, dans 
lequel 

le dispositif de verification (1 0) comprend de plus : 

un moyen d'execution de programme (310) pour executer un code d'un chiffrement de programme dont sont 
les donnees a verifier enregistrees dans le septieme moyen de memoire (122), et dans lequel 
le moyen de verification (106) transmet la reponse enregistree dans le cinquieme moyen de memoire (105) 
comme code de programme au moyen d'execution de programme (310), et 

le moyen d'execution de programme (310) fonctionne correctement si et seulement si le moyen de generation 
de reponse (1 1 6) dechiffre correctement les donnees a verifier qui sont un chiffrement du code du programme, 
c.-a-d. si le chiffrement du programme est correctement dechiffre. 

45. Dispositif pour authentifier des droits d'acces d'un utilisateur a des ressources selon la revendication 8 ou 1 6, dans 
lequel 

le dispositif de verification (10) comprend de plus : 

un moyen d'execution de programme (31 0); 

un moyen d'enregistrement de programme (31 Og); et 

un moyen de dechiffrement de programme (31 Oh), et dans lequel 

le moyen d'enregistrement de programme (31 Og) enregistre un code d'un programme dont tout ou une partie 
est chiffre, 

un chiffrement de la cle de dechiffrement pour le code de programme partiellement ou totalement chiffre est 
constitue par les donnees a verifier enregistrees dans le septieme moyen de memoire (122), 
le moyen de verification (106) transmet la reponse au moyen de dechiffrement de programme (31 Oh), 
le moyen de dechiffrement de programme (31 Oh) dechiffre le programme enregistre dans le moyen d'enre- 
gistrement de programme (31 Og) avec la reponse comme cle de dechiffrement, et 

le moyen d'execution de programme (310) execute correctement le programme dechiffre si et seulement si 
le moyen de generation de reponse (116) dechiffre correctement les donnees a verifier, c.-a-d. si la cle de 
dechiffrement pour dechiffrer le chiffrement du programme est correctement dechiffree. 

46. Dispositif pour authentifier des droits d'acces d'un utilisateur a des ressources selon la revendication 14, dans 
lequel 

le dispositif de confirmation (1 1 ) et le dispositif de verification (1 0) sont installes dans un materiel sous boTtier, et 
le dispositif de confirmation (10) transfere les donnees a verifier (18) enregistrees dans le quatrieme moyen 
de memoire au premier moyen de memoire (111) du dispositif de confirmation (11) et le dispositif de confir- 
mation (11) transfere la reponse (19) generee par le moyen de generation de reponse (116) au cinquieme 
moyen de memoire (1 05) du dispositif de verification (1 0) sans utiliser de reseau de communication a I'exterieur 
du materiel sous boitier. 
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47. Procede pour authentif ier des droits d'acces d'un utilisateur a des ressources en verifiant la legitimite d'une reponse 
generee a partir de donnees a verifier pour confirmer les droits d'acces de I'utilisateur, comprenant : 

une operation consistant a enregistrer les donnees a verifier; 
5 une operation consistant a enregistrer une information individuelle d'identification de I'utilisateur; 

une operation consistant a enregistrer une information d'assistance de controle qui est un resultat de calculs 
predetermines effectues sur I'information individuelle d'identification de I'utilisateur et I'information de carac- 
teristique de securite individuelle; 

une operation consistant a generer une reponse en effectuant des calculs predetermines sur les donnees a 
10 verifier, reformation individuelle d'identification de I'utilisateur et I'information d'assistance de controle; et 

une operation consistant a verifier la legitimite de la reponse en verifiant que la reponse, les donnees a verifier 
et I'information de caracteristique de securite individuelle satisfont une relation predefinie particuliere. 

48. Produit sous forme de programme d'ordinateur destine a etre utilise avec un ordinateur, le produit sous forme de 
is programme d'ordinateur comprenant : 

un support d'information utilisable par un ordinateur ayant un moyen de code de programme lisible par or- 
dinateur incorpore au support d'information pour faire generer a I'ordinateur une reponse (1 9) a partir de donnees 
a verifier (1 8) dont la legitimite doit etre verifiee pour authentifier des droits d'acces d'un utilisateur, (e produit sous 
forme de programme d'ordinateur possedant : 

20 

un moyen de code de programme lisible par ordinateur pour faire enregistrer a I'ordinateur les donnees a 
verifier (18); 

un moyen de code de programme lisible par ordinateur pour faire enregistrer a I'ordinateur une information 
individuelle d'identification de I'utilisateur (16); 

25 un moyen de code de programme lisible par ordinateur pour faire enregistrer a I'ordinateur une information 

d'assistance de controle (1 3) qui est le resultat de calculs predetermines effectues sur ('information individuelle 
d'identification de I'utilisateur (16) et ('information de caracteristique de securite individuelle (14); et 
un moyen de code de programme lisible par ordinateur pour faire generer a I'ordinateur une reponse (19) en 
effectuant des calculs predetermines sur les donnees a verifier (18), I'information individuelle d'identification 

30 de I'utilisateur (16) et I'information d'assistance de controle (13). 

49. Produit sous forme de programme d'ordinateur selon la revendication 48, comprenant : 

un moyen de code de programme lisible par ordinateur pour faire verifier a I'ordinateur la legitimite de la 
reponse (19) en verifiant que la reponse (19), les donnees a verifier (18) et I'information de caracteristique de 
35 securite individuelle (14) satisfont une relation predefinie particuliere. 

50. Dispositif de commande d'execution de programme pour authentifier des droits d'acces d'un utilisateur a des res- 
sources en verifiant la legitimite d'une reponse generee a partir de donnees a verifier pour confirmer les droits 
d'acces de I'utilisateur et commander I'execution d'un programme en fonction de I'authentification des droits d'ac- 

40 ces de I'utilisateur, comprenant un dispositif tel que defini dans I'une quelconque des revendications 1 a 46 et 

un moyen de continuation pour continuer I'execution du programme si la legitimite de la reponse est verifiee. 

51. Dispositif informatique servant a authentifier des droits d'acces d'un utilisateur a des ressources de traitement de 
I'information particulieres en verifiant la legitimite d'une reponse (19) generee pour confirmer les droits d'acces de 

45 I'utilisateur et permettre I'acces aux ressources de traitement de Tinformation particulieres, comprenant un dispositif 

tel que defini dans Tune quelconque des revendications 1 a 46 et 

un moyen d'autorisation pour permettre I'acces aux ressources de traitement de I'information particulieres 
si la legitimite de la reponse est verifiee. 

50 
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